如何在原生 Go 中将 PEM 证书链转换为 PKCS7？

“纵有疾风来，人生不言弃”，这句话送给正在学习Golang的朋友们，也希望在阅读本文《如何在原生 Go 中将 PEM 证书链转换为 PKCS7？》后，能够真的帮助到大家。我也会在后续的文章中，陆续更新Golang相关的技术文章，有好的建议欢迎大家在评论留言，非常感谢！

我正在寻找任何实用方法，将 pem 编码的 x509 证书链转换为 go 语言中的 pkcs7 格式。

这个 openssl 命令行说明了我试图在本机 go 中实现的目标。

openssl crl2pkcs7 -nocrl -certfile certificate-chain.pem > pkcs7.pem

我可以使用 exec 包从 go 程序中运行 openssl 命令行，但我正在 go 中寻找有效的解决方案。

输入文件包含一系列 pem 格式的证书，以 -----begin certificate-----\n 和 base64 编码数据开头。所需的输出需要采用 pkcs7 格式，以 -----begin pkcs7----- 开头。

我正在寻找一种有效的解决方案，因为我实际上并不是在读写文件，而是在内存中将大量证书作为字符串处理。

任何建议表示赞赏。

解决方案

首先，需要明确的是，您请求的输入和输出都是 pem 格式。输入是 pem 编码的 x509 证书序列，您请求的输出是 pem 编码的 pkcs#7 退化“仅证书”结构。如果您为其提供 -outform der 选项，openssl 可以输出 pkcs#7 结构的原始 asn.1 der，但默认情况下它将对其输出进行 pem 编码。

有许多 go 软件包可以构建这种 pkcs#7 结构。以下示例使用 this one。

如果您的输入是 pem 编码的字符串，并且您希望输出是 pem 编码的字符串，那么基本步骤是：

1. 从输入中提取每个 pem 块，对其进行解码并收集其原始字节。
2. 从这些字节创建 pkcs7 结构。
3. pem 将该结构编码为字节数组。
4. 将该字节数组转换为字符串。

这是一个简单的例子：

package main

import (
    "encoding/pem"
    "fmt"
    "log"

    "github.com/fullsailor/pkcs7"
)

var certchain = `-----begin certificate-----
miiekjccahkgawibagiqvuzjj/mbv3n8ps0chqtfzzanbgkqhkig9w0baqsfadbk
mqswcqydvqqgewjvuzewmbqga1uecbmntmv3iehhbxbzaglyztetmbega1uebxmk
ug9ydhntb3v0adeomcyga1ueaxmfu2ltcgxlq0egtm9ulvb1ymxpyybuzxn0ielz
c3vlcjaefw0xodexmjgymzmwndvafw0xotaymjyymzmwndvambuxezarbgnvbamt
ckphbmugu21pdggwggeima0gcsqgsib3dqebaquaa4ibdwawggekaoibaqc3iiys
42eqjojff81meku0w+8utqgl9d9fh0byaljgvkx1jvlg6l2cx1opfnmxowjdo7db
icrrpkxq/fh/tspumznwlp6fsu559mgzkudzrhdvdcf0pa/qujejeidlxs7mtekc
rkw6syrkceknsopcawnwr/cebl09pg3lef7vumfmkusmw+l7uphpl/shyqnyoanh
9b7ieeq832rg7b7vox6zmdccr6qndhxt6l/neidfbx736wh+ff+ikytw7xjnflqt
yvifuvni9rgridzdapva1/a94tkhbfzil/2uedzno61mcucbchqhul4iezpi/s5i
iyxqm9omomqkpsalagmbaagjjzalmasga1uddwqeawidqdawbgnvhsubaf8eddak
bggrbgefbqcdajanbgkqhkig9w0baqsfaaocageaxe8ipocwvv+bc78ci6qjab6n
1dn0n9x7ai6nvekdp1hqvnuhqkmkhv8pel7gapyh7rz3shyjylewlv0zugs3/uvv
38ae5xl2uqll4eomz4t9nxewzyrmesyfwz1za93wkgkz6ihoyrepi4ewapjyowok
nnrocmrfuzheuyssdlnxtgxkvtryfi63rjnikjnm7c8mkozevobdegzipalxondb
fcvuhikyu6ykt3rc5x/ow5i2lfcl9v8mhjbuipmlszjytcdbk81afix8g7iavb8l
burbigstshqisprunnxbcqg3yimdncn0n5lldmup3jxwqiuvez7psauu6avy7x8b
faq9uthtz63fqvclyl8us/oyzmeypxpw5hsfhqwujkzjhvo1raaou+3zsybrsxay
tzgm05wucsomtjhobzfr8ovqxknmhwgnudwsxuxqqfhubv5jlkhxwizxuoh3fhgz
9b2yh0pf/vgurglfk/onmyr33b0grat6/nw294ouokcp9jdwnpqr+ergodu6hz/p
uzmfr+dhvpihpouskcrknxklrblfzsg8uiymxinb27obk+mwch8guv5epjw1pucv
338v19sruqthrrs7znwymmxgewosj4ek/ystjcespenoec1hbvenhqe+h/jvn7pc
gn3nlk0grjl5j3y6nmw=
-----end certificate-----
-----begin certificate-----
miiekzccahogawibagirakju/ehi+hw4pqzenuj9f1awdqyjkozihvcnaqelbqaw
zdelmakga1uebhmcvvmxfjaubgnvbagtdu5ldybiyw1wc2hpcmuxezarbgnvbact
clbvcnrzbw91dggxkdambgnvbamth1npbxbszunbie5vbi1qdwjsawmgvgvzdcbj
c3n1zxiwhhcnmtgxmti4mjmzmtq2whcnmtkwmji2mjmzmtq2wjavmrmweqydvqqd
ewpgcmvkiepvbmvzmiibijanbgkqhkig9w0baqefaaocaq8amiibcgkcaqeat4om
eunnqitixxfnthpfnmpvfe0ic/q/x4dawajy4lysdy75yopdgl9tj3ztmtlow6ow
wsakazysavxr/7bd7pszvi6ehblueftim5lnc0rw1xqhdkwv6ro3ixogy17o5rxp
hkyluksqynhpj0qdwgmj1q/whas9part5xn+71dh5plkjfvi+7qr6s/7b8qp8qaj
4fw+yhnkpn9q4o2+1tl+s5g3aq+qp3yv7ei/53onrw1+9+sb/nxfoisk8o1ytx5a
k2l4n1l5ypaxq4g2xqd1wtf2velsh2xc4pf9lba8zaotznlng3b6ovc+chs6yv7o
sisl6jpadkdecj0gjqidaqaboycwjtalbgnvhq8ebamca6gwfgydvr0laqh/baww
cgyikwybbquhawiwdqyjkozihvcnaqelbqadggibaimzrastb2tb0tcs0x9d0nty
z8q3fkexvt816xfbgirs1atetnv59sjkjvpe9qrokqdrk7q+/ho80iu1o7dwfp7s
h29g9a1uhivcy1ijr8cw8la9h/of2kxggx8toldrftul60sa3rij7lqyow0nku+o
wrrsilmclhp8nzyjkn2wf066jtv6z4be2cgvpaxkutie3h4bov0kg9osmvurmqzw
n7z6eqhdusujwhevb2dizgixacne5v5hnpzm1ujzlgbaazwh7ufthktxl5fbbkw7
heoov320gotvqkgvvlc4pac5kr+p6jwfcdetfivvtyttfei5tdm606rba3bhtiru
ko4m63fnyziuzrxrf/bdcazvx5jhqwugpxei5ucaf6e5psovhlp6o0sien6thy/i
f+zzn6kf8ez0oyk+61fvpbbpkf05afhkkduirfywuy5+ixrpk4iuqxhm/krco0h3
rxxcdlc+9ol1jijnnf2lv8+u1apspfk0gnrxoylfyrsejciv8/d67v8oek0gfimm
/uzuhc2jyj05lfk7agv72cf82g46zaunaih4zwvmxvc/2tcqcayfyk15d1dqgqog
z3lr6vix/nco72ywqwgjrc5hdr5vliniextrlnkm4ew+aoly3x+erhmq69eengmr
4/guxrunb7is+lfm3jye
-----end certificate-----`

func main() {

    // decode each pem block in the input and append the asn.1
    // der bytes for each certificate therein to the data slice.

    input := []byte(certchain)
    data := []byte{}

    for len(input) > 0 {
        var block *pem.block
        block, input = pem.decode(input)
        data = append(data, block.bytes...)
    }

    // build a pkcs#7 degenerate "certs only" structure from
    // that asn.1 certificates data.

    var err error
    data, err = pkcs7.degeneratecertificate(data)
    if err != nil {
        log.fatalf("couldn't create degenerate pkcs7 object: %v", err)
    }

    // convert the pkcs#7 structure to a pem-encoded string.

    pemstring := string(pem.encodetomemory(&pem.block{
        type:  "pkcs7",
        bytes: data,
    }))

    // print the string, or do whatever you want with it.

    fmt.printf("%s", pemstring)
}

并显示它给出与 openssl 命令相同的输出：

paul@mac:certstop7$ cat certs.pem
-----BEGIN CERTIFICATE-----
MIIEKjCCAhKgAwIBAgIQVUzJj/mbV3n8PS0CHQTfzzANBgkqhkiG9w0BAQsFADBk
MQswCQYDVQQGEwJVUzEWMBQGA1UECBMNTmV3IEhhbXBzaGlyZTETMBEGA1UEBxMK
UG9ydHNtb3V0aDEoMCYGA1UEAxMfU2ltcGxlQ0EgTm9uLVB1YmxpYyBUZXN0IElz
c3VlcjAeFw0xODExMjgyMzMwNDVaFw0xOTAyMjYyMzMwNDVaMBUxEzARBgNVBAMT
CkphbmUgU21pdGgwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC3iiYS
42eqJOJfF81MekU0w+8UTQgL9D9fh0BYAljgvKx1jvlg6l2CX1OPfNMxOWjDo7DB
ICRrPKxq/FH/tsPumzNWLp6Fsu559MgzkudzRHDVdCF0pa/qujeJeiDLXs7mtekc
rKW6SyrKceknSoPCAwnWr/CEBL09pG3lef7vUMfmkuSMW+L7upHpL/sHyqnyoAnh
9b7IeeQ832rg7b7VOX6zmDcCr6qndhXt6L/neidFbX736wH+fF+iKyTw7XJNflqT
YvifUvnI9rGriDZdAPVa1/a94tKHbFzil/2UEDzNo61mcucbcHqhUL4Iezpi/s5I
iyXqM9oMoMQKPSAlAgMBAAGjJzAlMAsGA1UdDwQEAwIDqDAWBgNVHSUBAf8EDDAK
BggrBgEFBQcDAjANBgkqhkiG9w0BAQsFAAOCAgEAXe8ipocWVv+Bc78ci6QjAb6N
1DN0n9X7Ai6nvekDP1hqvNUhqKmKhV8pEL7GapyH7Rz3shYJyLEwlV0zUgS3/Uvv
38Ae5xl2uQLl4eoMz4T9NXewZyRmeSyfwz1za93wKGKz6IhoYRepI4EwaPjYowok
nNrocMRFuZHeUysSdLNXtgxKvtRYFI63rjNikJNM7C8mKOzeVobdegZipALxonDb
FcVUhikyu6YkT3Rc5X/oW5I2LfCl9v8mhjbuIPmLsZJyTcDBK81AFIX8g7Iavb8L
buRBIgSTShQISPrunnxbcQg3YimdNCn0n5llDmUP3jxWqiuvEZ7pSAUU6aVY7x8B
fAq9utHTz63FqVCLyl8us/oYZmeYpxpw5HSFhqwujKzJhvO1raaoU+3zsybrsxAy
tzgm05WucSoMTjhOBZFr8OVQxKnMHwgNudwsxuXqqFhUBV5JLkhxWIZxUoH3fhgz
9b2yH0pf/Vgurglfk/onMYR33B0grAT6/NW294oUOKCP9jdwNPQr+eRgoDU6hZ/P
UZMfr+dhVpIHPouSKCrkNXKLrBLFZsg8UiyMXiNB27OBK+mWCH8gUv5EPjW1PUCV
338v19sruqtHRRs7ZnWYMMxGeWosJ4eK/ysTjCespenOeC1HBVEnHQE+H/JvN7Pc
GN3nlK0GRJl5j3y6nmw=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEKzCCAhOgAwIBAgIRAKju/EHi+Hw4PQZENuj9F1AwDQYJKoZIhvcNAQELBQAw
ZDELMAkGA1UEBhMCVVMxFjAUBgNVBAgTDU5ldyBIYW1wc2hpcmUxEzARBgNVBAcT
ClBvcnRzbW91dGgxKDAmBgNVBAMTH1NpbXBsZUNBIE5vbi1QdWJsaWMgVGVzdCBJ
c3N1ZXIwHhcNMTgxMTI4MjMzMTQ2WhcNMTkwMjI2MjMzMTQ2WjAVMRMwEQYDVQQD
EwpGcmVkIEpvbmVzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAt4om
EuNnqiTiXxfNTHpFNMPvFE0IC/Q/X4dAWAJY4LysdY75YOpdgl9Tj3zTMTlow6Ow
wSAkazysavxR/7bD7pszVi6ehbLuefTIM5Lnc0Rw1XQhdKWv6ro3iXogy17O5rXp
HKyluksqynHpJ0qDwgMJ1q/whAS9PaRt5Xn+71DH5pLkjFvi+7qR6S/7B8qp8qAJ
4fW+yHnkPN9q4O2+1Tl+s5g3Aq+qp3YV7ei/53onRW1+9+sB/nxfoisk8O1yTX5a
k2L4n1L5yPaxq4g2XQD1Wtf2veLSh2xc4pf9lBA8zaOtZnLnG3B6oVC+CHs6Yv7O
SIsl6jPaDKDECj0gJQIDAQABoycwJTALBgNVHQ8EBAMCA6gwFgYDVR0lAQH/BAww
CgYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQADggIBAImzRaStB2tb0tCs0x9d0NTy
Z8Q3Fkexvt816xfBGiRS1AtetnV59sJKJvPe9qRoKQDRk7Q+/HO80Iu1o7dWfp7S
h29g9a1uhIVCY1ijr8cW8La9H/OF2KxgGX8TOldrftUl60sA3riJ7lQYOW0NkU+o
wrRsIlMCLhP8NZYjKn2Wf066JtV6Z4Be2CgVpaXkuTIE3h4BOv0kG9OsMvuRMqZw
n7z6EqhduSujwHevB2dIZgixacnE5v5hnpZm1ujzlgbAAZWh7uFthktXL5fBbkW7
heoOv320GOTvqkGVVlc4Pac5kR+P6JWfCDETfIVvtyTtfei5tDm606rBa3BHtiRu
kO4m63fnYziUzRXrF/bDcAzVx5jHQWugpxeI5UcaF6e5psOvhlP6O0sIeN6ThY/I
f+zZN6kf8eZ0OYk+61fVPbbpkF05AFhKkduIRfywUy5+iXrPK4iuQxhM/kRCO0H3
rxXcDlc+9Ol1JiJNNF2lV8+U1APsPFK0gnrxoYLFyRsejCiV8/D67v8oEk0gfiMm
/uZUhC2jYJ05lfK7aGV72Cf82g46zAuNAiH4zwvmxvC/2tcqcaYFyK15D1dQGqOg
z3LR6viX/ncO72ywQWgjRc5hdR5vLinIEXTRlNKm4EW+AoLY3x+Erhmq69EEnGMr
4/GUXRuNB7Is+lFM3JYE
-----END CERTIFICATE-----
paul@mac:certstop7$ openssl crl2pkcs7 -nocrl -certfile certs.pem > openssl_p7.pem
paul@mac:certstop7$ ./certstop7 > generated_p7.pem
paul@mac:certstop7$ diff generated_p7.pem openssl_p7.pem
paul@mac:certstop7$

本篇关于《如何在原生 Go 中将 PEM 证书链转换为 PKCS7？》的介绍就到此结束啦，但是学无止境，想要了解学习更多关于Golang的相关知识，请关注golang学习网公众号！