On Mon, Apr 22, 2013, Krzysztof Benedyczak wrote: > Hi Openssl Developers, > > Since openssl 1.0.0 a new subject hash is used, i.e. the output of the > > openssl x509 -subject_hash ... > > has changed. The old one was quite easy to decipher and commonly > known (part of the MD5 hash of the bin form of the subject name). > Now AFAIU MD5 has been changed do SHA1, but it seems that there are > also other modifications (some normalization? or?). > > Is it possible to get a precise information how openssl generate the > the aforementioned subject hash? I can try to infer it from source > of course, but having an algorithm description would be of great > help. > > I was trying to find some information on the topic but no luck. The > reason for the question is that in Java software I need to support > openssl-like certificates trust store. >
It's a bit complex and you need to be able to decode and reencode the Name structure to duplicate this. The function x509_name_canon performs the reencoding this is in crypto/asn1/x_name.c: /* This function generates the canonical encoding of the Name structure. * In it all strings are converted to UTF8, leading, trailing and * multiple spaces collapsed, converted to lower case and the leading * SEQUENCE header removed. * This encoding is then used to perform the hash using SHA1 in a similar way to the old algorithm (see X509_NAME_hash function in crypto/x509/x509_cmp.c). Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
