X.509证书在OPENSSL中定了专门的数据结构,方便用户对其操作,其结构如下所示:
struct x509_st
{
X509_CINF *cert_info;
X509_ALGOR *sig_alg;
ASN1_BIT_STRING *signature;
int valid;
int references;
char *name;
CRYPTO_EX_DATA ex_data;
long ex_pathlen;
long ex_pcpathlen;
unsigned long ex_flags;
unsigned long ex_kusage;
unsigned long ex_xkusage;
unsigned long ex_nscert;
ASN1_OCTET_STRING *skid;
struct AUTHORITY_KEYID_st *akid;
X509_POLICY_CACHE *policy_cache;
#ifndef OPENSSL_NO_SHA
unsigned char sha1_hash[SHA_DIGEST_LENGTH];
#endif
X509_CERT_AUX *aux;
};
该结构表示了一个完整的数字证书。各项意义如下:
cert_info:证书主体信息;
sig_alg:签名算法;
signature:签名值,存放CA对该证书签名的结果;
valid:是否是合法证书,1为合法,0为未知;
references:引用次数,被引用一次则加一;
name:证书持有者信息;
ex_data:扩展数据结构,用于存放用户自定义的信息;
ex_pathlen:证书路径长度;
ex_kusage:密钥用法;
ex_xkusage:扩展密钥用法;
ex_nscert:Netscape证书类型;
skid:主体密钥标识;
akid:颁发者密钥标识;
policy_cache:各种策略缓存;
sha1_hash:存放证书的sha1摘要值;
aux:辅助信息;
其中,证书主体信息—X509_CINF结构体定义如下:
typedef struct x509_cinf_st
{
ASN1_INTEGER *version; //证书版本
ASN1_INTEGER *serialNumber; //序列号
X509_ALGOR *signature; //签名算法
X509_NAME *issuer; //颁发者
X509_VAL *validity; // 有效时间
X509_NAME *subject; // 持有者
X509_PUBKEY *key; // 公钥
ASN1_BIT_STRING *issuerUID; // 颁发者唯一标识
ASN1_BIT_STRING *subjectUID; // 持有者唯一标识
STACK_OF(X509_EXTENSION) *extensions; // 扩展项
} X509_CINF;