DCP打包中生成KDM所需要的CA证书
在数字电影中所有环节都涉及到加密解密,期中就包含KDM文件所需要的加密所用的加密证书。
该标准为:SMPTE 430-2-2006
我们知道现在大部分涉及CA的基本上都是用openssl来实现。
如何构建生成自己的根证书和中间机构证书和端证书,请自行搜索万恶的baidu
数字电影对证书做了一些限制,其属于509所支持的子集。
本篇文章只是解析一下证书中包含哪些信息,及该信息的含义:
我们生成证书可以选择PEM和DER两种格式输出,PEM是对DER做了base64编码的文件输出便于直接用文本编辑器查看。
我们在命令行用openssl打开证书看看证书里面包含哪些信息:
openssl x509 -in C:\Users\hasee\Desktop\dcp\encryption\kdm\kfg365.cert.sha256.pem -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
01:37:8f:90:56:1d:fc:b0
Signature Algorithm: sha256WithRSAEncryption
Issuer: O = DC2.SMPTE.DOREMILABS.COM, OU = DC.DOREMILABS.COM, CN = .US1.DCS.DOLPHIN.DC2.SMPTE, dnQualifier = BnB0iDJLgyqiWUjn1uqrOy2/DEE=
Validity
Not Before: Jan 1 00:00:00 2007 GMT
Not After : Dec 1 00:00:00 2025 GMT
Subject: O = DC2.SMPTE.DOREMILABS.COM, OU = DC.DOREMILABS.COM, CN = LE SPB MD FM SM.IMB-227577.DC.DOLPHIN.DC2.SMPTE, dnQualifier = "dUsGkBgVHURva/kNS+EHaCrg87M="
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:b4:35:65:41:44:be:43:60:77:c6:05:22:20:14:
1c:57:5f:0d:3e:ad:cd:f2:93:17:be:fc:e1:84:ef:
10:39:e8:45:9d:f5:d2:ef:45:f9:1a:9f:ae:db:f3:
97:05:53:f1:47:b5:b1:fa:dc:10:0f:f1:6c:4f:70:
93:d3:95:80:aa:f6:a1:41:ce:72:69:20:bd:c0:9e:
ad:88:f4:2c:38:b0:42:12:48:0b:76:f7:08:f9:72:
a0:3d:7b:5c:fe:fd:e3:3d:7f:3e:06:95:21:c4:f5:
5b:7a:ac:fc:6e:b3:08:40:4f:f5:f1:47:dc:6c:56:
02:c6:81:9a:74:41:71:35:fd:a6:7f:51:a2:db:3b:
5e:d9:4e:55:28:87:b6:2a:85:ae:c5:6c:2b:c3:cd:
90:9c:e1:57:09:89:c0:a8:13:76:23:9c:40:e2:71:
0f:44:9b:bd:67:42:09:c3:0f:2c:fd:80:9f:d5:63:
d3:a3:02:1f:e5:59:41:4d:86:c6:eb:fe:f6:64:15:
92:ba:5a:c8:87:a3:b5:1c:46:71:4f:7d:f2:4a:c0:
ef:f1:1f:d8:e5:bf:e2:70:c1:29:ea:49:83:1c:0b:
a6:b8:2d:e5:dc:18:ff:19:95:8a:09:1f:63:17:dc:
6a:8a:81:c0:37:27:93:e4:56:15:3e:79:0d:49:27:
92:43
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Key Usage:
Digital Signature, Key Encipherment, Data Encipherment
X509v3 Subject Key Identifier:
75:4B:06:90:18:15:1D:44:6F:6B:F9:0D:4B:E1:07:68:2A:E0:F3:B3
X509v3 Authority Key Identifier:
keyid:06:70:74:88:32:4B:83:2A:A2:59:48:E7:D6:EA:AB:3B:2D:BF:0C:41
DirName:/O=DC2.SMPTE.DOREMILABS.COM/OU=DC.DOREMILABS.COM/CN=.DCS.DOLPHIN.DC2.SMPTE/dnQualifier=hN7uXSLYi/EKtT0MYaDWeE5j3Mo=
serial:02
Signature Algorithm: sha256WithRSAEncryption
4e:cd:fb:98:74:bc:f5:00:8e:0e:a9:33:28:e4:9d:9b:4a:52:
f7:97:33:57:74:f6:c5:7a:f2:c4:f2:dd:62:ca:c2:f6:fc:7d:
0a:03:67:46:7a:a9:d9:5e:b0:8a:2f:e4:cd:7d:28:59:f7:53:
43:48:c8:d9:33:7a:19:5d:94:1c:07:77:f7:5c:5d:c2:cb:f1:
c2:ef:aa:a6:59:ee:57:70:6d:a8:42:27:17:08:c2:41:04:50:
6a:d5:1f:c1:a1:62:b1:d4:68:51:db:e6:09:d6:7f:80:71:f1:
43:a9:11:c2:73:6c:4c:e6:65:ed:23:b7:07:6f:34:30:55:7c:
9c:97:98:c2:12:e1:ee:fc:da:72:6d:30:b8:44:ca:8d:a9:9b:
a6:3e:36:a0:6c:14:f9:75:6c:f4:1e:e0:8f:09:2b:d1:96:b8:
7c:0d:d2:57:1a:73:35:f9:48:d1:18:6d:67:f3:33:26:15:51:
08:9a:bb:dd:21:60:48:a0:29:24:62:81:9f:8f:a7:d6:99:54:
8e:28:44:13:a3:8f:32:ad:9a:29:bb:5e:ee:96:14:cb:6f:54:
53:31:c1:d5:d4:d5:94:7d:23:e5:09:3e:fe:ee:62:62:af:e7:
f8:56:3b:40:00:be:d6:f0:d1:ae:78:77:e2:c1:ce:22:a1:72:
8f:7d:9d:66
字段说明如下:
version:必须是x.509 v3版本
Serial Number: 序列号,每个证书都有一个全局的唯一序列号,便于检索
SignatureAlgorithm:签名算法,必须是sha256WithRSAEncryption,使用PKCS#1v1.5签名填充,对公钥进行签名
Issuer:颁发和签署此证书的实体的全局唯一名称
dnQualifier:签发证书机构的签名,确保证书是真实的
O:根证书组织名
OU:颁发者或证书主体所属的组织的名称。此字段不标识最终所有者或设施,而是标识设备制造商。
CN:具体颁发证书单位的名称
Validity:证书有效时间
Not Before:开始时间
Not After:结束时间
Subject:证书的主体部分
dnQualifier:本证书的指纹签名注意和上面提到的签发机构的指纹区分
O:根组织名
OU:颁发证书组织名同issuer
CN:设备或产品型号名
Public Key Algorithm:必须是 rsaEncyption, rsa产生公钥 和私钥对,公钥加密数据,私钥解密,私钥在设备端保存
public-Key: 必须是2048bit即256字节
Modulus:
具体的公钥信息
exponent:必须是65537
X509v3 extensions: 509协议的一些扩展
X509v3 Basic Constraints: critical 这个字段在所有证书中都是存在的,如果我们这个证书用于签名则 CA:TRUE,但我们是数字院线播放设备是做设备安全认证的,故
CA:FALSE 必须是false
X509v3 Key Usage:证书中公钥的用途 可以用于数字签名 密钥加密和数据加密 Digital Signature Key Encipherment Data Encipherment