为什么 jetty 将证书主题参数 S 转换为 ST?
Why jetty transformed certificate subject parameter S to ST?
我正在使用主题为
的证书
CN = operator-1505
O = Test org
L = Moscow
S = Moscow
C = RU
但是当我尝试在我的 servlet 中获取此证书时:
@Override
protected void service(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
X509Certificate[] certificates = (X509Certificate[]) req.getAttribute("javax.servlet.request.X509Certificate");
if (certificates != null && certificates.length == 1) {
X509Certificate certificate = certificates[0];
authenticate(certificate, req, resp);
}
}
certificate 变量中的主题是:
CN=operator-1505, O=Test org, L=Moscow, ST=Moscow, C=RU
为什么 jetty 将 S 参数转换为 ST?
S(或ST)不在证书中。它包含的是对象标识符 (OID) 2.5.4.8.
OpenSSL 曾经有 a snarky comment 说这个 OID 的缩写形式的权威答案是 "ST",但微软使用 "S".
可能是两个不同的 RFC 以不同的短格式引用了相同的 OID,并且每个库最终都有自己的答案来说明该特定值的用途。
如果您可以使用跨环境稳定的 OID 值打印名称,否则您可能只需要想出一种方法来匹配 S= 或 ST=。
编辑:我很高兴地注意到 ITU-T X.520 (2012/10) 说 "ST" 是正确答案,而使用 S=例如:
6.3.3 State or Province Name
The State or Province Name attribute type specifies a state or province. When used as a component of a directory name, it identifies a geographical subdivision in which the named object is physically located or with which it is associated in some other important way.
An attribute value for State or Province Name is a string, e.g., S = "Ohio"
stateOrProvinceName ATTRIBUTE ::= {
SUBTYPE OF name
WITH SYNTAX UnboundedDirectoryString
LDAP-SYNTAX directoryString.&id
LDAP-NAME {"st"}
ID id-at-stateOrProvinceName }
(强调我的,遗憾的是我不能同时强调和保留空格的“LDAP-NAME {"st"}”)
我正在使用主题为
的证书CN = operator-1505
O = Test org
L = Moscow
S = Moscow
C = RU
但是当我尝试在我的 servlet 中获取此证书时:
@Override
protected void service(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
X509Certificate[] certificates = (X509Certificate[]) req.getAttribute("javax.servlet.request.X509Certificate");
if (certificates != null && certificates.length == 1) {
X509Certificate certificate = certificates[0];
authenticate(certificate, req, resp);
}
}
certificate 变量中的主题是:
CN=operator-1505, O=Test org, L=Moscow, ST=Moscow, C=RU
为什么 jetty 将 S 参数转换为 ST?
S(或ST)不在证书中。它包含的是对象标识符 (OID) 2.5.4.8.
OpenSSL 曾经有 a snarky comment 说这个 OID 的缩写形式的权威答案是 "ST",但微软使用 "S".
可能是两个不同的 RFC 以不同的短格式引用了相同的 OID,并且每个库最终都有自己的答案来说明该特定值的用途。
如果您可以使用跨环境稳定的 OID 值打印名称,否则您可能只需要想出一种方法来匹配 S= 或 ST=。
编辑:我很高兴地注意到 ITU-T X.520 (2012/10) 说 "ST" 是正确答案,而使用 S=例如:
6.3.3 State or Province Name
The State or Province Name attribute type specifies a state or province. When used as a component of a directory name, it identifies a geographical subdivision in which the named object is physically located or with which it is associated in some other important way.
An attribute value for State or Province Name is a string, e.g., S = "Ohio"
stateOrProvinceName ATTRIBUTE ::= { SUBTYPE OF name WITH SYNTAX UnboundedDirectoryString LDAP-SYNTAX directoryString.&id LDAP-NAME {"st"} ID id-at-stateOrProvinceName }
(强调我的,遗憾的是我不能同时强调和保留空格的“LDAP-NAME {"st"}”)