一、前言
原本笔者并未注意到本文描述问题,因为工作内容涉及旧证书的迁移,这才偶然接触到,特此记录特例情况。
实际上,若是严格按照标准规范,目前实际实测下来比较出名的依赖包都是没问题的,本文描述情况不兼容也不能说不行。
但可能现实情况就是因为一些历史原因等等,导致存量的不可重新生成的证书只能依旧是以不太标准的情况存在。
于是,本文附带讲解为什么它们不太标准,以及标准情况是怎样的,还有应该如何提高代码兼容性以兼容这种不太标准的情况。
二、RFC 5208 关于此字段的定义
原文链接(IETF 制订):RFC5280
The basic constraints extension identifies whether the subject of the certificate is a CA and the maximum depth of valid certification paths that include this certificate.
The cA boolean indicates whether the certified public key may be used to verify certificate signatures. If the cA boolean is not asserted, then the keyCertSign bit in the key usage extension MUST NOT be asserted. If the basic constraints extension is not present in a version 3 certificate, or the extension is present but the cA boolean is not asserted, then the certified public key MUST NOT be used to verify certificate signatures.
The pathLenConstraint field is meaningful only if the cA boolean is asserted and the key usage extension, if present, asserts the keyCertSign bit (Section 4.2.1.3). In this case, it gives the maximum number of non-self-issued intermediate certificates that may follow this certificate in a valid certification path. (Note: The last certificate in the certification path is not an intermediate certificate, and is not included in this limit. Usually, the last certificate is an end entity certificate, but it can be a CA certificate.) A pathLenConstraint of zero indicates that no non- self-issued intermediate CA certificates may follow in a valid certification path. Where it appears, the pathLenConstraint field MUST be greater than or equal to zero. Where pathLenConstraint does not appear, no limit is imposed.
Conforming CAs MUST include this extension in all CA certificates that contain public keys used to validate digital signatures on certificates and MUST mark the extension as critical in such certificates. This extension MAY appear as a critical or non-critical extension in CA certificates that contain public keys used exclusively for purposes other than validating digital signatures on certificates. Such CA certificates include ones that contain public keys used exclusively for validating digital signatures on CRLs and ones that contain key management public keys used with certificate enrollment protocols. This extension MAY appear as a critical or non-critical extension in end entity certificates.
CAs MUST NOT include the pathLenConstraint field unless the cA boolean is asserted and the key usage extension asserts the keyCertSign bit.
id-ce-basicConstraints OBJECT IDENTIFIER ::= { id-ce 19 }
BasicConstraints ::= SEQUENCE {
cA BOOLEAN DEFAULT FALSE,
pathLenConstraint INTEGER (0..MAX) OPTIONAL
}
三、ASN.1 和 DER
ASN.1(Abstract Syntax Notation One, 抽象语法规范一):
-
定义数据结构类型(如
INTEGER,BOOLEAN,SEQUENCE)和值(如cA: BOOLEAN) -
平台无关:独立于编程语言和硬件。
-
仅描述:不涉及如何编码为二进制。
-
国际标准
-
ISO/IEC 14888-3:2018:国际标准化组织(ISO)和 国际电工委员会(IEC) 共同制定的标准。(注:此文档需要付费购买)
-
ITU-T X.690:国际电联电信标准化部门 制订的标准。
-
-
国内标准
-
GB/T 16263.1:中华人民共和国国家标准
-
DER(Distinguished Encoding Rules,非典型编码规则):
-
将 ASN.1 定义的数据结构转换为唯一确定的二进制流(如 HEX 30030101FF)。
-
DER 是 ASN.1 编码规则家族的一员(基于 BER,但增加严格约束)。
-
同一 ASN.1 结构通过 DER 编码后,结果绝对唯一(这是证书签名的核心要求)。
-
在以上 ASN.1 的标准文档中,都有专门描述 DER 编码的规则(当然,也有描述 BER 编码规则)。