> Well the first embedded SEQUENCE is the tbsCertificate data. You
> need to hash
> all of that including the SEQUENCE tag+length bytes.
This is correct. My previous statement that you don't include the tag and
length bytes was incorrect. Sorry.
DS
> There is an example here:
>
> http://www.openssl.org/docs/apps/rsautl.html#EXAMPLES
>
Awesome, that is exactly what I'm looking for.
Thanks!
Anthony.
__
OpenSSL Project http://www.openssl.org
On Fri, May 09, 2008, Anthony Floyd wrote:
> To generate the signature, has that first embedded SEQUENCE (the one
> that contains the certificate data) been hashed entirely? Including the
> tag and length fields? Or has some subset of that been hashed? I
> assume that the SEQUENCE with the hash
On Fri, May 09, 2008, Anthony Floyd wrote:
> To generate the signature, has that first embedded SEQUENCE (the one
> that contains the certificate data) been hashed entirely? Including the
> tag and length fields? Or has some subset of that been hashed? I
> assume that the SEQUENCE with the hash
> This page is helpful as well:
> http://en.wikipedia.org/wiki/X.509
>
> Under "Structure of a certificate", it shows that a
> certificate consists of
> an inner certificate (sometimes called the TBS certificate),
> followed by the
> certificate signature algorithm and the signature itself. The
> To do that properly you do need to at least parse some of the
> ASN1 data. There
> is some header information at the start which contains the
> SEQUENCE tag+length
> bytes.
Right. This isn't a problem, as I've been pulling the data out by
parsing the ASN.1 data anyway.
> The actual bit you
> To do that properly you do need to at least parse some of the
> ASN1 data. There
> is some header information at the start which contains the
> SEQUENCE tag+length
> bytes.
>
> The actual bit you will hash is in the middle of the data. One SEQUENCE
> header is deleted from the start and some dat
On Thu, May 08, 2008, Anthony Floyd wrote:
> Hi,
>
> I have a self-signed certificate generated by OpenSSL. I'm using Python
> and various libraries (PyCrypto, tlslite) to programmatically access the
> certificate. I'm not having any problems pulling the data out of the
> certificate.
>
> Now
> So to check the signature, it should be as easy as to hash
> the data, decrypt the signature with the public key and
> compare the two.
Of course, I meant: hash the data, encrypt the hash with the public key
and compare to signature.
Thanks,
Anthony.
