如何计算X.509证书的SHA-1指纹？ [英] How to calculate X.509 certificate's SHA-1 fingerprint?

问题描述

我想从头开始实现X.509证书生成器（我知道已有的，但我需要另外一个）。我不能理解的是如何计算的SHA-1（或任何其他）证书的指纹。

I'm trying to implement an X.509 certificate generator from scratch (I know about the existing ones, but I need yet another one). What I cannot understand is how to calculate the SHA-1 (or any other) fingerprint of the certificate.

RFC5280 的说，输入到签名功能是DER烯codeD即tbsCertificate领域。不幸的是，我计算散列不同于由OpenSSL的产生的之一。这里有一个一步一步的例子。

The RFC5280 says that the input to the signature function is the DER-encoded tbsCertificate field. Unfortunately, the hash that I calculate differs from the one produced by OpenSSL. Here's a step-by-step example.

1. 使用OpenSSL的X​​509工具生成一个证书（二进制DER形式的不的ASCII码PEM）


2. 使用计算它的SHA-1散列 OpenSSL的X​​509 -fingerprint


3. 用dd（或其他）提取TBS领域并将其存储在一个单独的文件;使用的sha1sum 效用计算其哈希

1. generate a certificate using OpenSSL's x509 tool (in a binary DER form, not the ASCII PEM)
2. calculate its SHA-1 hash using openssl x509 -fingerprint
3. extract the TBS field using dd (or anything else) and store it in a separate file; calculate its hash using the sha1sum utility

现在，我在步骤2和3获得哈希值是不同的。是否有人可以给我一个提示我可能做错了吗？

Now, the hashes I get at steps 2 and 3 are different. Can someone please give me a hint what I may be doing wrong?

推荐答案

好了，事实证明，通过OpenSSL的计算的指纹是一个简单的哈希过的全证书（在其DER二进制编码不可以的ASCII PEM之一！），不仅是TBS的一部分，因为我以为。

Ok, so it turned out that the fingerprint calculated by OpenSSL is simply a hash over the whole certificate (in its DER binary encoding, not the ASCII PEM one!), not only the TBS part, as I thought.

对于任何人谁在乎计算证书的摘要，它以不同的方式进行：哈希是在DER-CN codeD计算（再次的不的质子交换膜字符串）TBS部分的只有的，包括它的ASN.1头（该ID的0x30 == ASN1_SEQUENCE | ASN1_CONSTRUCTED和长度字段）。请注意，该证书的ASN.1头没有考虑

For anyone who cares about calculating certificate's digest, it is done in a different way: the hash is calculated over the DER-encoded (again, not the PEM string) TBS part only, including its ASN.1 header (the ID 0x30 == ASN1_SEQUENCE | ASN1_CONSTRUCTED and the length field). Please note that the certificate's ASN.1 header is not taken into account.

这篇关于如何计算X.509证书的SHA-1指纹？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！