使用 x5c 和 x5t 参数创建 JWK 密钥

JWK Key Creation with x5c and x5t parameters

我有生成JWK的需求,参数如下:

注:

前 5 个参数(“kty”、“kid”、“use”、“n”、“e”)相当简单,不是问题。但是,对于“x5c”和“x5t”组件,我不确定如何生成它们。似乎我可以使用工具创建 x509 证书,例如在 https://www.samltool.com/self_signed_certs.php 找到的工具,我想在那里生成的 x509 证书应该是 x5c 参数。这是正确的吗?我如何从中生成 x5t(证书指纹)?

感谢所有帮助。

由于您既没有标记工具也没有标记语言,我认为这是对这两个参数的一般解释。

x5c 中存储了证书或证书链,在 x5t 中存储了相关的指纹。 certificate or certificate chain is used to prove ownership of a public key, the thumbprint 是用于 identify/compare 证书的证书哈希。

两个参数的确切定义在RFC 7517, JSON Web Key (JWK), chapters 4.7 x5c and 4.8 x5t:

中描述
  • x5c:

The "x5c" (X.509 certificate chain) parameter contains a chain of one or more PKIX certificates [RFC5280]. The certificate chain is represented as a JSON array of certificate value strings. Each string in the array is a base64-encoded (Section 4 of [RFC4648] -- not base64url-encoded) DER [ITU.X690.1994] PKIX certificate value. The PKIX certificate containing the key value MUST be the first certificate. This MAY be followed by additional certificates, with each subsequent certificate being the one used to certify the previous one. The key in the first certificate MUST match the public key represented by other members of the JWK. Use of this member is OPTIONAL...

  • x5t:

The "x5t" (X.509 certificate SHA-1 thumbprint) parameter is a base64url-encoded SHA-1 thumbprint (a.k.a. digest) of the DER encoding of an X.509 certificate [RFC5280]. Note that certificate thumbprints are also sometimes known as certificate fingerprints. The key in the certificate MUST match the public key represented by other members of the JWK. Use of this member is OPTIONAL.

创建证书:

还可以生成自签名证书(除了您使用的在线工具之外),例如使用 OpenSSL。以下 OpenSSL 语句

openssl req -x509 -newkey rsa:4096 -nodes -keyout key.pem -out cert.crt -days 365

生成 PKCS#8 格式的私有(未加密)PEM 编码的 4096 位密钥 (key.pem):

-----BEGIN PRIVATE KEY-----
MIIJRAIBADANBgkqhkiG9w0BAQEFAASCCS4wggkqAgEAAoICAQDkWIfV9uL3XMay
...
OPAsywknGU1A/xTa3fFKO9KV6t/T9z3G
-----END PRIVATE KEY-----

和 PEM 编码证书(cert.crt):

-----BEGIN CERTIFICATE-----
MIIF4zCCA8ugAwIBAgIJAKSZ5oC4tblkMA0GCSqGSIb3DQEBCwUAMIGHMQswCQYD
...
6aBMYeKy0dqjtZIlO8rm2Rialc7Qt+0=
-----END CERTIFICATE-----

有关更多选项和详细信息,请参阅 openssl req and the post How to generate a self-signed SSL certificate using OpenSSL?

请注意,自签名证书由所有者签名。自签名证书用于内部页面或测试环境。相比之下,CA 签名的证书是由第三方签署的,public 非常受信任的证书颁发机构 (CA),例如 DigiCert 或 Thawte 等。对于面向 public 的网站,s。还有 here. A signed certificate is requested with a CSR.

证书、证书链、证书颁发机构等是 public key infrastructure 的一部分。

x5c的使用示例:

在RFC 7517的Appendix B中,给出了x5c参数的使用示例。 DER 编码的证书是 Base64 编码的,包含在 JSON 数组中:

{
    "kty":"RSA",
    "use":"sig",
    "kid":"1b94c",
    "n":"vrjOfz9Ccdgx5nQudyhdoR17V-IubWMeOZCwX_jj0hgAsz2J_pqYW08
    PLbK_PdiVGKPrqzmDIsLI7sA25VEnHU1uCLNwBuUiCO11_-7dYbsr4iJmG0Q
    u2j8DsVyT1azpJC_NG84Ty5KKthuCaPod7iI7w0LK9orSMhBEwwZDCxTWq4a
    YWAchc8t-emd9qOvWtVMDC2BXksRngh6X5bUYLy6AyHKvj-nUy1wgzjYQDwH
    MTplCoLtU-o-8SNnZ1tmRoGE9uJkBLdh5gFENabWnU5m1ZqZPdwS-qo-meMv
    VfJb6jJVWRpl2SUtCnYG2C32qvbWbjZ_jBPD5eunqsIo1vQ",
    "e":"AQAB",
    "x5c":
    ["MIIDQjCCAiqgAwIBAgIGATz/FuLiMA0GCSqGSIb3DQEBBQUAMGIxCzAJB
    gNVBAYTAlVTMQswCQYDVQQIEwJDTzEPMA0GA1UEBxMGRGVudmVyMRwwGgYD
    VQQKExNQaW5nIElkZW50aXR5IENvcnAuMRcwFQYDVQQDEw5CcmlhbiBDYW1
    wYmVsbDAeFw0xMzAyMjEyMzI5MTVaFw0xODA4MTQyMjI5MTVaMGIxCzAJBg
    NVBAYTAlVTMQswCQYDVQQIEwJDTzEPMA0GA1UEBxMGRGVudmVyMRwwGgYDV
    QQKExNQaW5nIElkZW50aXR5IENvcnAuMRcwFQYDVQQDEw5CcmlhbiBDYW1w
    YmVsbDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL64zn8/QnH
    YMeZ0LncoXaEde1fiLm1jHjmQsF/449IYALM9if6amFtPDy2yvz3YlRij66
    s5gyLCyO7ANuVRJx1NbgizcAblIgjtdf/u3WG7K+IiZhtELto/A7Fck9Ws6
    SQvzRvOE8uSirYbgmj6He4iO8NCyvaK0jIQRMMGQwsU1quGmFgHIXPLfnpn
    fajr1rVTAwtgV5LEZ4Iel+W1GC8ugMhyr4/p1MtcIM42EA8BzE6ZQqC7VPq
    PvEjZ2dbZkaBhPbiZAS3YeYBRDWm1p1OZtWamT3cEvqqPpnjL1XyW+oyVVk
    aZdklLQp2Btgt9qr21m42f4wTw+Xrp6rCKNb0CAwEAATANBgkqhkiG9w0BA
    QUFAAOCAQEAh8zGlfSlcI0o3rYDPBB07aXNswb4ECNIKG0CETTUxmXl9KUL
    +9gGlqCz5iWLOgWsnrcKcY0vXPG9J1r9AqBNTqNgHq2G03X09266X5CpOe1
    zFo+Owb1zxtp3PehFdfQJ610CDLEaS9V9Rqp17hCyybEpOGVwe8fnk+fbEL
    2Bo3UPGrpsHzUoaGpDftmWssZkhpBJKVMJyf/RuP2SmmaIzmnw9JiSlYhzo
    4tpzd5rFXhjRbg4zW9C+2qok+2+qDM1iJ684gPHMIY8aLWrdgQTxkumGmTq
    gawR+N5MDtdPTEQ0XfIBc2cJEUyMTY5MPvACWpkA6SdS4xSvdXK3IVfOWA=="]
} 

请注意,值内的换行符仅用于显示目的。 DER编码是PEM编码去掉页眉、页脚和换行符,其余部分进行Base64解码的结果,即Base64解码后的DER编码证书是没有换行符的PEM编码证书的主体。

对于证书链,证书以逗号分隔,参见例如RFC 7515, Appendix B, x5c.

Thumbprint/Fingerprint:

证书的指纹是 DER 编码证书的 SHA-1 哈希,可以使用 OpenSSL 生成,如下所示,s。还有 here:

openssl x509 -in cert.crt -noout -fingerprint

这里cert.crt是PEM编码的证书。有关详细信息,请参阅 openssl x509

示例:如果使用来自 RFC 7517 附录 B 的证书,则 OpenSSL 语句 returns 输出如下:

SHA1 Fingerprint=E2:93:5E:9C:40:4B:BF:42:69:2C:87:6E:81:6C:50:90:EB:19:70:AD

即十六进制编码的指纹是:E2935E9C404BBF42692C876E816C5090EB1970AD 或 Base64url 编码:4pNenEBLv0JpLIdugWxQkOsZcK0。后者的值为x5t:

"x5t":"4pNenEBLv0JpLIdugWxQkOsZcK0"