常见问题¶

unable to get local issuer certificate¶

这种一般是请求的机器没有指定设备的CA证书

x509: certificate signed by unknown authority¶

这种一般是没有安装ca-certifications软件

苹果p12文件导出私钥只有150B¶

// 执行这条命令得到的apns-dev-key.pem只有150B
openssl pkcs12 -nocerts -out apns-dev-key.pem -in apns-dev-key.p12
// 内容为:
Bag Attributes
  friendlyName: wei64
  localKeyID: 7F 0E 83 38 DF C0 1A 04 75 E1 95 21 A0 83 61 C0 8A E5 05 0B
Key Attributes: <No Attributes>

// 但增加-nodes选项后就正常了
openssl pkcs12 -nocerts -nodes -out apns-dev-key.pem -in apns-dev-key.p12

原因:

当不指定-node参数时,必须要输入足够复杂的密码,不然就会生成150B大小的文件
即:
openssl pkcs12 -nocerts -nodes -out apns-dev-key.pem -in apns-dev-key.p12
等同于下面2个命令:
openssl pkcs12 -nocerts -out apns-dev-key-passwd.pem -in apns-dev-key.p12
openssl rsa -in apns-dev-key-passwd.pem -out apns-dev-key-noenc.pem

unable to load key file¶

执行:

$> openssl dgst -verify cert.pem -signature file.sha1 file.data

报错:

unable to load key file

发现问题:

$> openssl x509 -in cert.pem -noout -text
Certificate:
  Data:
      Version: 3 (0x2)
      Serial Number:
           (Negative)11:1b:51:87:3d:b4:0b:5a:b7:74:94:88:39:ee:12:22
  Signature Algorithm: sha256WithRSAEncryption
      Issuer: CN=Trust - Wei64 Certificate
      Validity
          Not Before: Jun 20 03:38:11 2012 GMT
          Not After : Dec 31 23:59:59 2039 GMT
      Subject: CN=Mocca
      Subject Public Key Info:
          Public Key Algorithm: rsaEncryption
              Public-Key: (2048 bit)
              Modulus:
                  00:b5:fd:31:3f:91:24:96:7d:c3:9e:7c:6f:5a:41:
                  b2:5d:7b:15:87:ec:a4:a7:25:00:7d:ae:2c:8a:b9:
                  ... ...
                  5f:c4:87:30:5c:7a:4b:90:46:21:73:2b:6b:cd:58:
                  49:39
              Exponent: 65537 (0x10001)
      X509v3 extensions:
          2.5.29.1:
              0M..b.`~.....0...-.".'0%1#0!..U....Trust - Wei64 Certificate..^...k...@.`F
 ...
  Signature Algorithm: sha256WithRSAEncryption
       64:be:96:2c:64:02:f4:78:26:66:83:60:67:8f:e8:ca:05:64:
       c1:f4:5a:cf:a1:4e:e1:13:bb:56:f1:b4:0f:1f:03:e4:8e:ad:
       ... ...

解决方案:

原因:openssl dgst -verify cert.pem命令期望文件cert.pem contains the "raw" public key in PEM format.
  The raw format is an encoding of a SubjectPublicKeyInfo structure, which can be found within a certificate;
  but openssl dgst cannot process a complete certificate in one go.

// 你要先从证书中提取出public key
$> openssl x509 -pubkey -noout -in cert.pem > pubkey.pem
// 然后再验证
$> openssl dgst -verify pubkey.pem -signature sigfile dat