FabricV2.2_X.509: Why do you need an X.509 certificate?

Enterprise 2023-09-11 21:14:57 views: null

FabricV2.2_X.509: Why do you need an X.509 certificate?

Let’s draw the conclusion first!

  1. FabricV2.2 X.509 certificate is implemented by directly calling go standard lib crypto/x509 package
  2. The X.509 certificate solves the problem that the public key may be replaced during the basic digital signature model process.

First, let’s understand why we need an X.509 certificate?

Model:

  1. Background: The process of A sending a message to B under the basic digital signature model

    1. A uses his own private key signature to generate a digital signature (R, S) and then sends (Msg, (R, S)) to B, where Msg is the message

    2. When Party B receives (Msg, (R, S)), it uses Party A’s public key to verify the signature to determine whether the Msg was sent by Party A.

      digital signature process

  2. Problem: When the public key of A owned by Party B is attacked by a malicious person and replaced with the public key of the malicious person, Party B will mistakenly believe that the message sent by the malicious person is the message sent by Party A.

  3. solution:

    The core of the problem is the credibility of A’s public key

    Therefore, find a third-party organization CA that is trusted by everyone to certify A’s public key.

  4. specific method:

    1. A requests the certificate center CA to certify its public key , then Party A obtains the digital certificate Certification

      Specific process: CA uses its own private key to "encrypt" A's public key to generate a digital certificate Certification** (the encryption here is also the process of signing)**

    2. When A sends a message to B, it will not only attach a digital signature but also a digital certificate (Msg, (R, S), Certification)

    3. B receives (Msg, (R, S), Certification), then uses CA's public key to "decrypt" the Certification to obtain A's real public key (the decryption here is actually the process of signature verification ), and then uses A's real public key key to verify the signature and determine the validity of the message
      Insert image description here

    Explanation: How to solve the problem when the CA's public key is counterfeited?

    You can express your thoughts in the comment area!

Type of CA

The types of CAs can be divided into intermediate CAs and RootCAs
. So what does it look like for a user to apply for his own public key certificate from an intermediate CA? That is, the chain of trust.

Insert image description here

The type of digital certificate issued by the CA can be an X.509 certificate

Here we first give the structural composition of the Go standard library X.509 certificate (details will be introduced in the next blog haha):


// A Certificate represents an X.509 certificate.
type Certificate struct {
    
    
	Raw                     []byte // Complete ASN.1 DER content (certificate, signature algorithm and signature).
	RawTBSCertificate       []byte // Certificate part of raw ASN.1 DER content.
	RawSubjectPublicKeyInfo []byte // DER encoded SubjectPublicKeyInfo.
	RawSubject              []byte // DER encoded Subject
	RawIssuer               []byte // DER encoded Issuer

	Signature          []byte
	SignatureAlgorithm SignatureAlgorithm

	PublicKeyAlgorithm PublicKeyAlgorithm
	PublicKey          interface{
    
    }

	Version             int
	SerialNumber        *big.Int
	Issuer              pkix.Name
	Subject             pkix.Name
	NotBefore, NotAfter time.Time // Validity bounds.
	KeyUsage            KeyUsage

	// Extensions contains raw X.509 extensions. When parsing certificates,
	// this can be used to extract non-critical extensions that are not
	// parsed by this package. When marshaling certificates, the Extensions
	// field is ignored, see ExtraExtensions.
	Extensions []pkix.Extension

	// ExtraExtensions contains extensions to be copied, raw, into any
	// marshaled certificates. Values override any extensions that would
	// otherwise be produced based on the other fields. The ExtraExtensions
	// field is not populated when parsing certificates, see Extensions.
	ExtraExtensions []pkix.Extension

	// UnhandledCriticalExtensions contains a list of extension IDs that
	// were not (fully) processed when parsing. Verify will fail if this
	// slice is non-empty, unless verification is delegated to an OS
	// library which understands all the critical extensions.
	//
	// Users can access these extensions using Extensions and can remove
	// elements from this slice if they believe that they have been
	// handled.
	UnhandledCriticalExtensions []asn1.ObjectIdentifier

	ExtKeyUsage        []ExtKeyUsage           // Sequence of extended key usages.
	UnknownExtKeyUsage []asn1.ObjectIdentifier // Encountered extended key usages unknown to this package.

	// BasicConstraintsValid indicates whether IsCA, MaxPathLen,
	// and MaxPathLenZero are valid.
	BasicConstraintsValid bool
	IsCA                  bool

	// MaxPathLen and MaxPathLenZero indicate the presence and
	// value of the BasicConstraints' "pathLenConstraint".
	//
	// When parsing a certificate, a positive non-zero MaxPathLen
	// means that the field was specified, -1 means it was unset,
	// and MaxPathLenZero being true mean that the field was
	// explicitly set to zero. The case of MaxPathLen==0 with MaxPathLenZero==false
	// should be treated equivalent to -1 (unset).
	//
	// When generating a certificate, an unset pathLenConstraint
	// can be requested with either MaxPathLen == -1 or using the
	// zero value for both MaxPathLen and MaxPathLenZero.
	MaxPathLen int
	// MaxPathLenZero indicates that BasicConstraintsValid==true
	// and MaxPathLen==0 should be interpreted as an actual
	// maximum path length of zero. Otherwise, that combination is
	// interpreted as MaxPathLen not being set.
	MaxPathLenZero bool

	SubjectKeyId   []byte
	AuthorityKeyId []byte

	// RFC 5280, 4.2.2.1 (Authority Information Access)
	OCSPServer            []string
	IssuingCertificateURL []string

	// Subject Alternate Name values. (Note that these values may not be valid
	// if invalid values were contained within a parsed certificate. For
	// example, an element of DNSNames may not be a valid DNS domain name.)
	DNSNames       []string
	EmailAddresses []string
	IPAddresses    []net.IP
	URIs           []*url.URL

	// Name constraints
	PermittedDNSDomainsCritical bool // if true then the name constraints are marked critical.
	PermittedDNSDomains         []string
	ExcludedDNSDomains          []string
	PermittedIPRanges           []*net.IPNet
	ExcludedIPRanges            []*net.IPNet
	PermittedEmailAddresses     []string
	ExcludedEmailAddresses      []string
	PermittedURIDomains         []string
	ExcludedURIDomains          []string

	// CRL Distribution Points
	CRLDistributionPoints []string

	PolicyIdentifiers []asn1.ObjectIdentifier
}

Summarize

  1. In the basic digital signature model process, the public key may be replaced.

  2. The essence of a CA is to use the CA's private key to encrypt the public key that needs to be authenticated to generate a digital certificate. At this time, the digital certificate can be X.509 or other certificate standards.

Guess you like

Origin blog.csdn.net/Blockchain210/article/details/124251641
Recommended
Ranking
SpringBoot-integrate redis
[Sword pointing to offer] Interview question 03: Repeated numbers in an array
Arrangement "Offer Penalty for prove safety" string
Browser prevent the automatic generation of fill and Echo have been saved account solutions
Work hard and never slacken——2022 Yinmai Information Year-End Summary
Install jdk7 on Linux system
App common dependency management tools
EduCoder-Web程序设计基础-html5— 给表单组件添加说明-第1关:label标签相关概念
Machine learning - clustering - density clustering algorithm notes
Ant's large model is exposed, AI+ finance enters the "big model" era
Daily
More
2024-04-30(36)
2024-04-29(5)
2024-04-28(12)
2024-04-27(29)
2024-04-26(22)
2024-04-25(32)
2024-04-24(30)
2024-04-23(30)
2024-04-22(5)
2024-04-21(0)

Code World

© 2018 codetd.com