专栏名称: 美团技术团队

10000+工程师，如何支撑中国领先的生活服务电子商务平台？数亿消费者、数百万商户、2000多个行业、几千亿交易额背后是哪些技术在支撑？这里是美团、大众点评、美团外卖、美团配送、美团优选等技术团队的对外窗口。

鸿蒙应用签名实操及机制探究

美团技术团队 · 公众号 · 架构 · 2025-01-02 19:58

正文

请到「今天看啥」查看全文


   
    
     Certificate Request:


   
    
     Data:


   
    
     Version: 1 (0x0)


   
    
     Subject: C = , ST = , L = , O = , OU = , CN = testscr //证书申请者的信息


   
    
     Subject Public Key Info:


   
    
     Public Key Algorithm: id-ecPublicKey


   
    
     Public-Key: (256 bit)


   
    
     pub: //证书申请者的公钥值，和上面my.pem里的公钥值相同


   
    
     04:3d:bc:b3:bf:2b:17:cf:97:d4:95:a0:91:07:1f:


   
    
     1c:1d:86:cb:6d:0c:09:3e:75:3a:e7:ba:78:6e:59:


   
    
     6c:fb:14:2a:56:6b:3f:1d:1a:45:7d:1e:8a:72:f6:


   
    
     13:95:ac:13:7b:2d:d3:32:38:ca:f8:f4:2b:38:5d:


   
    
     13:09:2c:09:60


   
    
     ASN1 OID: prime256v1


   
    
     NIST CURVE: P-256


   
    
     Attributes:


   
    
     Requested Extensions:


   
    
     X509v3 Subject Key Identifier: //证书申请者的标识


   
    
     6D:08:45:8C:8C:4A:FE:6E:75:E8:02:A4:82:7E:39:A4:D5:BB:49:40


   
    
     Signature Algorithm: ecdsa-with-SHA256


   
    
     Signature Value:


   
    
     30:44:02:20:25:ce:44:5f:d0:01:ca:87:9f:7f:75:e1:46:a3:


   
    
     fe:09:1d:04:52:6f:0e:8f:f9:0e:ea:b2:28:8c:31:61:d3:ef:


   
    
     02:20:1a:e8:16:ac:29:bb:b4:52:e1:99:18:c4:13:22:4d:3a:


   
    
     97:a7:f6:47:e1:c8:e6:a7:49:1a:f0:b4:19:44:15:cd

注意到其中证书申请者的公钥值和上面p12文件中的公钥值是一样的，说明CSR中包含了我们的公钥信息。使用如下命令也可以直接从CSR文件中得到公钥指纹：

openssl req -in my.csr -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64

示例生成的CSR计算得到的公钥指纹为：

fzyRjPvTPElBAj0VlYlVA74M3RMtUh5ljKbOYf1NDA0=

和通过公钥证书计算得到的公钥指纹相同。

⓷ 生成开发者签名叶子证书

证书的作用可以抽象概括为：

颁发者（Issuer）说：持有者（Subject）的公钥是某某某。

证书一般分为三级：根证书（Root Certificate）、中间证书（Intermediate Certificate）、叶子证书（Leaf Certificate）。

叶子证书由中间证书颁发（即叶子证书的Issuer+AKID和中间证书的Subject+SKID相同）
中间证书由根证书颁发（即中间证书的Issuer+AKID和根证书的Subject+SKID相同）
根证书由自己颁发（也就是自签名，根证书的Issuer和Subject相同）

我们需要的是用于给我们App签名的开发者签名叶子证书，这需要华为的开发者签名中间证书来帮我们颁发。叶子证书分为调试证书和发布证书，我们以发布证书为例（操作步骤：https://developer.huawei.com/consumer/cn/doc/app/agc-help-add-releasecert-0000001946273961）：

需要上传我们的CSR文件，得到的证书文件内容示例如下：

可以看到叶子证书文件里也包括了中间证书和根证书，分别解析证书信息如下：

根证书：

 Certificate:    Data:        Version: 3 (0x2)        Serial Number: 5339133492510690512 (0x4a18699f9d7d8cd0)        Signature Algorithm: ecdsa-with-SHA384        Issuer: C = CN, O = Huawei, OU = Huawei CBG, CN = Huawei CBG Root CA G2        Validity            Not Before: Mar 16 03:04:39 2020 GMT            Not After : Mar 16 03:04:39 2049 GMT        Subject: C = CN, O = Huawei, OU = Huawei CBG, CN = Huawei CBG Root CA G2        Subject Public Key Info:            Public Key Algorithm: id-ecPublicKey                Public-Key: (384 bit)                pub:                    04:5a:27:64:1a:70:d2:3b:0d:ff:1c:4d:b2:d8:61:                    e5:f9:fa:56:04:86:b9:4b:e2:25:9c:da:ec:19:4b:                    f0:0b:52:36:41:6b:ed:a8:21:d6:9b:01:65:14:af:                    79:cc:a5:e2:33:cb:3d:c9:5d:d5:55:78:7b:8a:f3:                    7c:64:93:b7:48:2e:4d:d5:30:ab:bc:1d:a5:a4:73:                    01:c1:cc:f8:0c:0d:24:80:70:8c:9b:fc:03:79:ce:                    a4:38:7c:75:c6:f0:91                ASN1 OID: secp384r1                NIST CURVE: P-384        X509v3 extensions:            X509v3 Key Usage: critical                Certificate Sign, CRL Sign            X509v3 Basic Constraints: critical                CA:TRUE            X509v3 Subject Key Identifier:                 A3:8E:5A:F5:5A:BC:71:8C:2A:6A:25:72:7E:48:92:E2:92:DC:20:00    Signature Algorithm: ecdsa-with-SHA384    Signature Value:        30:64:02:30:33:2a:5e:07:b3:f4:21:b6:3b:73:a8:29:59:c0:        a5:85:1c:e7:38:91:63:f2:e6:af:ac:db:b6:3c:8a:33:f4:a2:        2a:af:78:e7:06:50:47:26:cd:26:c8:8e:e7:b5:8a:44:02:30:        5b:9b:c7:83:31:96:39:ce:ae:62:31:95:02:e8:7e:d4:cd:84:        a2:c7:85:32:d5:89:6c:2d:55:7b:df:c3:ed:28:ff:61:15:38:        e0:0c:77:2d:5c:99:42:e4:be:fe:64:36

中间证书：

 Certificate:    Data:        Version: 3 (0x2)        Serial Number: 6803676100576229407 (0x5e6b835db5a9381f)        Signature Algorithm: ecdsa-with-SHA384        Issuer: C = CN, O = Huawei, OU = Huawei CBG, CN = Huawei CBG Root CA G2        Validity            Not Before: Jul  9 02:04:24 2020 GMT            Not After : Jul  7 02:04:24 2030 GMT        Subject: C = CN, O = Huawei, OU = Huawei CBG, CN = Huawei CBG Developer Relations CA G2        Subject Public Key Info:            Public Key Algorithm: id-ecPublicKey                Public-Key: (384 bit)                pub:                    04:eb:92:dd:a0:86:61:d6:19:69:67:68:0f:6c:9e:                    a0:3e:11:ec:bd:84:91:7b:6d:8a:11:38:1d:a9:e5:                    5e:62:7a:db:44:72:3d:c2:c3:d3:e9:11:98:4b:ea:                    54:e2:63:e5:eb:0c:73:80:33:2a:37:a4:98:fc:1a:                    19:96:e8:64:13:53:f3:68:7a:0f:a0:d2:16:22:ad:                    0e:df:78:69:c8:ac:b2:63:00:1a:70:85:04:8d:8b:                    ab:93:0d:44:f6:bf:67                ASN1 OID: secp384r1                NIST CURVE: P-384        X509v3 extensions:            X509v3 Authority Key Identifier:                 A3:8E:5A:F5:5A:BC:71:8C:2A:6A:25:72:7E:48:92:E2:92:DC:20:00            X509v3 Subject Key Identifier:                 DB:5E:93:B2:23:E8:D0:E4:FE:71:7A:66:E9:A4:73:47:5B:7F:F3:5E            X509v3 Certificate Policies:                 Policy: X509v3 Any Policy                  CPS: http://cpki-caweb.huawei.com/cpki/cps            X509v3 Basic Constraints: critical                CA:TRUE, pathlen:0            X509v3 Key Usage: critical                Certificate Sign, CRL Sign            X509v3 CRL Distribution Points:                 Full Name:                  URI:http://cpki-caweb.huawei.com/cpki/servlet/crlFileDown.crl?certype=10&/root_g2_crl.crl