签署证书时，授权密钥标识符被复制到 SKID

我已经实施了一个 hacky 解决方法来添加 SKID 和 authorityKeyIdentifier。生成的证书有效。但是，由于structx *C.X509的成员Certificate未导出，因此访问它们的唯一方法是通过不安全的指针和强制转换。这不是推荐的方式，而是spacemonkey/go更新之前的一种方式（我怀疑它会很快发生）。func addAuthorityKeyIdentifier(c *openssl.Certificate) error {    var ctx C.X509V3_CTX    C.X509V3_set_ctx(&ctx, nil, nil, nil, nil, 0)    // this is ugly and very unsafe!    cx509 := *(**C.X509)(unsafe.Pointer(c))    cx509Issuer := cx509    if c.Issuer != nil {        cx509Issuer = *(**C.X509)(unsafe.Pointer(c.Issuer))    }    ctx.issuer_cert = cx509Issuer    cExtName := C.CString("authorityKeyIdentifier")    defer C.free(unsafe.Pointer(cExtName))    cExtValue := C.CString("keyid:always,issuer:always")    defer C.free(unsafe.Pointer(cExtValue))    extension := C.X509V3_EXT_nconf(nil, &ctx, cExtName, cExtValue)    if extension == nil {        return errors.New("failed to set 'authorityKeyIdentifier' extension")    }    defer C.X509_EXTENSION_free(extension)    addResult := C.X509_add_ext(cx509, extension, -1)    if addResult == 0 {        return errors.New("failed to set 'authorityKeyIdentifier' extension")    }    return nil}func addSKIDExtension(c *openssl.Certificate) error {    var ctx C.X509V3_CTX    C.X509V3_set_ctx(&ctx, nil, nil, nil, nil, 0)        // this is ugly and very unsafe!    cx509 := *(**C.X509)(unsafe.Pointer(c))    _ = cx509    ctx.subject_cert = cx509    _ = ctx    cExtName := C.CString("subjectKeyIdentifier")    defer C.free(unsafe.Pointer(cExtName))    cExtValue := C.CString("hash")    defer C.free(unsafe.Pointer(cExtValue))    extension := C.X509V3_EXT_nconf(nil, &ctx, cExtName, cExtValue)    if extension == nil {        return errors.New("failed to set 'subjectKeyIdentifier' extension")    }    defer C.X509_EXTENSION_free(extension)    // adding itself as a subject    addResult := C.X509_add_ext(cx509, extension, -1)    if addResult == 0 {        return errors.New("failed to set 'subjectKeyIdentifier' extension")    }    return nil}

签署证书时，授权密钥标识符被复制到 SKID

1回答