DCP打包中生成KDM所需要的CA证书

在数字电影中所有环节都涉及到加密解密,期中就包含KDM文件所需要的加密所用的加密证书。

该标准为:SMPTE  430-2-2006 

我们知道现在大部分涉及CA的基本上都是用openssl来实现。

如何构建生成自己的根证书和中间机构证书和端证书,请自行搜索万恶的baidu

数字电影对证书做了一些限制,其属于509所支持的子集。

本篇文章只是解析一下证书中包含哪些信息,及该信息的含义:

我们生成证书可以选择PEM和DER两种格式输出,PEM是对DER做了base64编码的文件输出便于直接用文本编辑器查看。

我们在命令行用openssl打开证书看看证书里面包含哪些信息:

openssl x509 -in C:\Users\hasee\Desktop\dcp\encryption\kdm\kfg365.cert.sha256.pem -text -noout

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            01:37:8f:90:56:1d:fc:b0
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: O = DC2.SMPTE.DOREMILABS.COM, OU = DC.DOREMILABS.COM, CN = .US1.DCS.DOLPHIN.DC2.SMPTE, dnQualifier = BnB0iDJLgyqiWUjn1uqrOy2/DEE=
        Validity
            Not Before: Jan  1 00:00:00 2007 GMT
            Not After : Dec  1 00:00:00 2025 GMT
        Subject: O = DC2.SMPTE.DOREMILABS.COM, OU = DC.DOREMILABS.COM, CN = LE SPB MD FM SM.IMB-227577.DC.DOLPHIN.DC2.SMPTE, dnQualifier = "dUsGkBgVHURva/kNS+EHaCrg87M="
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:b4:35:65:41:44:be:43:60:77:c6:05:22:20:14:
                    1c:57:5f:0d:3e:ad:cd:f2:93:17:be:fc:e1:84:ef:
                    10:39:e8:45:9d:f5:d2:ef:45:f9:1a:9f:ae:db:f3:
                    97:05:53:f1:47:b5:b1:fa:dc:10:0f:f1:6c:4f:70:
                    93:d3:95:80:aa:f6:a1:41:ce:72:69:20:bd:c0:9e:
                    ad:88:f4:2c:38:b0:42:12:48:0b:76:f7:08:f9:72:
                    a0:3d:7b:5c:fe:fd:e3:3d:7f:3e:06:95:21:c4:f5:
                    5b:7a:ac:fc:6e:b3:08:40:4f:f5:f1:47:dc:6c:56:
                    02:c6:81:9a:74:41:71:35:fd:a6:7f:51:a2:db:3b:
                    5e:d9:4e:55:28:87:b6:2a:85:ae:c5:6c:2b:c3:cd:
                    90:9c:e1:57:09:89:c0:a8:13:76:23:9c:40:e2:71:
                    0f:44:9b:bd:67:42:09:c3:0f:2c:fd:80:9f:d5:63:
                    d3:a3:02:1f:e5:59:41:4d:86:c6:eb:fe:f6:64:15:
                    92:ba:5a:c8:87:a3:b5:1c:46:71:4f:7d:f2:4a:c0:
                    ef:f1:1f:d8:e5:bf:e2:70:c1:29:ea:49:83:1c:0b:
                    a6:b8:2d:e5:dc:18:ff:19:95:8a:09:1f:63:17:dc:
                    6a:8a:81:c0:37:27:93:e4:56:15:3e:79:0d:49:27:
                    92:43
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Key Usage: 
                Digital Signature, Key Encipherment, Data Encipherment
            X509v3 Subject Key Identifier: 
                75:4B:06:90:18:15:1D:44:6F:6B:F9:0D:4B:E1:07:68:2A:E0:F3:B3
            X509v3 Authority Key Identifier: 
                keyid:06:70:74:88:32:4B:83:2A:A2:59:48:E7:D6:EA:AB:3B:2D:BF:0C:41
                DirName:/O=DC2.SMPTE.DOREMILABS.COM/OU=DC.DOREMILABS.COM/CN=.DCS.DOLPHIN.DC2.SMPTE/dnQualifier=hN7uXSLYi/EKtT0MYaDWeE5j3Mo=
                serial:02

    Signature Algorithm: sha256WithRSAEncryption
         4e:cd:fb:98:74:bc:f5:00:8e:0e:a9:33:28:e4:9d:9b:4a:52:
         f7:97:33:57:74:f6:c5:7a:f2:c4:f2:dd:62:ca:c2:f6:fc:7d:
         0a:03:67:46:7a:a9:d9:5e:b0:8a:2f:e4:cd:7d:28:59:f7:53:
         43:48:c8:d9:33:7a:19:5d:94:1c:07:77:f7:5c:5d:c2:cb:f1:
         c2:ef:aa:a6:59:ee:57:70:6d:a8:42:27:17:08:c2:41:04:50:
         6a:d5:1f:c1:a1:62:b1:d4:68:51:db:e6:09:d6:7f:80:71:f1:
         43:a9:11:c2:73:6c:4c:e6:65:ed:23:b7:07:6f:34:30:55:7c:
         9c:97:98:c2:12:e1:ee:fc:da:72:6d:30:b8:44:ca:8d:a9:9b:
         a6:3e:36:a0:6c:14:f9:75:6c:f4:1e:e0:8f:09:2b:d1:96:b8:
         7c:0d:d2:57:1a:73:35:f9:48:d1:18:6d:67:f3:33:26:15:51:
         08:9a:bb:dd:21:60:48:a0:29:24:62:81:9f:8f:a7:d6:99:54:
         8e:28:44:13:a3:8f:32:ad:9a:29:bb:5e:ee:96:14:cb:6f:54:
         53:31:c1:d5:d4:d5:94:7d:23:e5:09:3e:fe:ee:62:62:af:e7:
         f8:56:3b:40:00:be:d6:f0:d1:ae:78:77:e2:c1:ce:22:a1:72:
         8f:7d:9d:66

字段说明如下:

version:必须是x.509 v3版本

Serial Number: 序列号,每个证书都有一个全局的唯一序列号,便于检索

SignatureAlgorithm:签名算法,必须是sha256WithRSAEncryption,使用PKCS#1v1.5签名填充,对公钥进行签名

Issuer:颁发和签署此证书的实体的全局唯一名称

            dnQualifier:签发证书机构的签名,确保证书是真实的

            O:根证书组织名

            OU:颁发者或证书主体所属的组织的名称。此字段不标识最终所有者或设施,而是标识设备制造商。 

            CN:具体颁发证书单位的名称

Validity:证书有效时间

           Not Before:开始时间

           Not After:结束时间

Subject:证书的主体部分

            dnQualifier:本证书的指纹签名注意和上面提到的签发机构的指纹区分

            O:根组织名

            OU:颁发证书组织名同issuer

            CN:设备或产品型号名

Public Key Algorithm:必须是 rsaEncyption, rsa产生公钥 和私钥对,公钥加密数据,私钥解密,私钥在设备端保存

public-Key: 必须是2048bit即256字节

Modulus:

              具体的公钥信息

exponent:必须是65537

X509v3 extensions: 509协议的一些扩展

X509v3 Basic Constraints: critical 这个字段在所有证书中都是存在的,如果我们这个证书用于签名则 CA:TRUE,但我们是数字院线播放设备是做设备安全认证的,故

     CA:FALSE 必须是false

X509v3 Key Usage:证书中公钥的用途 可以用于数字签名 密钥加密和数据加密 Digital Signature Key Encipherment Data Encipherment

 

 

 

 

 

 

你可能感兴趣的:(DCP打包中生成KDM所需要的CA证书)