从CERT.RSA中提取证书

原文链接：http://www.wangchen.org/2011/01/%E4%BB%8Ecert-rsa%E4%B8%AD%E6%8F%90%E5%8F%96%E8%AF%81%E4%B9%A6/

Apk 包中的META-INF目录下，有一个CERT.RSA，它是一个PKCS7 格式的文件。

下面介绍几种从中获取证书的方法。

Linux command line

openssl pkcs7 -inform DER -in CERT.RSA -noout -print_certs -text

你可以得到一个文本输出：

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1281971851 (0x4c69568b)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: CN=Michael Liu
        Validity
            Not Before: Aug 16 15:17:31 2010 GMT
            Not After : Aug 10 15:17:31 2035 GMT
        Subject: CN=Michael Liu
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:8d:04:84:a2:1e:c6:56:39:f2:cd:a6:f0:48:a5:
                    f7:5e:71:8f:e1:a8:af:a7:dc:66:92:a2:b9:cf:da:
                    0f:32:42:ce:83:fe:bc:e1:4f:0a:fd:d9:a8:b3:73:
                    f4:ff:97:15:17:87:d6:d0:3c:da:01:fc:11:40:7d:
                    04:da:31:cc:cd:da:d0:e7:7b:e3:c1:84:30:9f:21:
                    93:95:20:48:b1:2d:24:02:d2:b9:3c:87:0d:fa:b8:
                    e1:b1:45:f4:8d:90:0a:3b:9d:d8:8a:9a:96:d1:51:
                    23:0e:8e:c4:09:68:7d:95:be:c6:42:e9:54:a1:5c:
                    5d:3f:25:d8:5c:c3:42:73:21
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha1WithRSAEncryption
        78:3c:6b:ef:71:70:55:68:28:80:4d:f8:b5:cd:83:a9:01:21:
        2a:c1:e4:96:ad:bc:5f:67:0c:cd:c3:34:51:6d:63:90:a9:f9:
        d5:5e:c7:ef:34:43:86:7d:68:e1:99:87:92:86:34:91:6d:67:
        6d:b2:22:e9:5e:28:aa:e8:05:52:04:6e:4e:d4:7f:0f:b0:d6:
        28:f5:2b:11:38:d5:15:cb:e3:e4:c9:99:23:c1:84:4f:ce:69:
        e9:b1:59:7b:8e:30:01:1c:e1:92:ee:0d:54:61:29:f5:8e:9e:
        42:72:26:2b:aa:c7:af:d9:c9:d1:85:95:8e:4c:8d:5c:77:c5:
        ce:4e

Java

这是最简单的

import sun.security.pkcs.PKCS7;
import java.io.FileInputStream;
import java.io.IOException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;

public class Test {
    public static void main(String[] args) throws CertificateException, IOException {
        FileInputStream fis = new FileInputStream("/Users/wangchen/Desktop/CERT.RSA");
        PKCS7 pkcs7 = new PKCS7(fis);
        X509Certificate publicKey = pkcs7.getCertificates()[0];

        System.out.println("issuer1:" + publicKey.getIssuerDN());
        System.out.println("subject2:" + publicKey.getSubjectDN());
        System.out.println(publicKey.getPublicKey());
    }
}

使用openssl-dev 的C API

#include <openssl/bio.h>
#include <openssl/x509.h>
#include <openssl/pkcs7.h>
#include <string>
#include <iostream>
using namespace std;
string to_string(X509_NAME* name)
{
    BIO* mem = BIO_new(BIO_s_mem());
    if (mem == NULL)
        return NULL;

    if (X509_NAME_print_ex(mem, name, 0, XN_FLAG_RFC2253) < 0)         return NULL;     string str;     char buf[128];     while((BIO_gets(mem, &buf[0], sizeof(buf))) > 0)
    {
        str.append(buf);
    }
    BIO_free(mem);
    return str;
}

int main()
{
	FILE* fp;
    if (!(fp = fopen("CERT.RSA", "rb")))
    {
        fprintf(stderr, "Error reading input pkcs7 file\n" );
        exit(1);
    }
	/* todo: 这里可能有内存漏洞，有空查一下文档 */
    PKCS7* pkcs7 = d2i_PKCS7_fp(fp, NULL);
    X509* cert = sk_X509_pop(pkcs7->d.sign->cert);
    string subject = to_string(X509_get_subject_name(cert));
    string issuer = to_string(X509_get_issuer_name(cert));
    char *modulus = BN_bn2dec(X509_get_pubkey(cert)->pkey.rsa->n);
    cout << subject << endl;
    OPENSSL_free(modulus);
    fclose(fp);
    return 0;
}

Python

我没在Python 2.x 的OpenSSL 库中找到从PKCS7中提取证书的方法……
看来无奈时刻只能自己做Binding了。