Hi,
I am trying to (independantly of openssl) generate the hash for a certificate
(the short string
that would be used as the symlink name in the openssl/certs directory).
eg, this command
openssl x509 -in CERT.pem -noout -hash
I am trying to do this because I wanted to know how openssl was calculating
this.
At the bottom of the man page for x509 it states the following:
The hash algorithm used in the -subject_hash and -issuer_hash options before
OpenSSL 1.0.0 was based on the deprecated MD5
algorithm and the encoding of the distinguished name. In OpenSSL 1.0.0 and
later it is based on a canonical version of the DN
using SHA1.
Thats a great start but not enough detail to let me generate this myself.
Since I know the hash uses sha1 I should be able to generate the hash with
"shasum" passing in the correct data. And there is the issue. All the
conbinations of data I have passed in give me a different hash to what openssl
generates. Its much longer but I beleive that is because openssl just chops
everything past 8 chars off.
Since the man page says its a hash of the DN (subject) I tried passing in the
subject (in the various formats available from openssl)
openssl x509 -noout -in CERT.pem -text | grep Subject:
Subject: C=GB, O=My Company, OU=My Department, CN=MyName
openssl x509 -in CERT.pem -noout -subject
subject= /C=GB/O=My Company/OU=My Department/CN=MyName
openssl x509 -in CERT.pem -noout -subject -nameopt RFC2253
subject= CN=MyName,OU=My Department,O=My Company,C=GB
I then feed that into shasum like so (showing just one of the 6 combinations. I
tried the subject for the three variations with and without the "subject= " or
"Subject: " prefix)
printf "CN=MyName,OU=My Department,O=My Company,C=GB" | shasum
6a73b8417b2f51195e1d0bcee3c2adbc1fb73124 -
I tried looking at the code but I am not really a coder and definately not a
C/C++ one and I was getting rather out of my depth trying to follow it.
What I THINK my problem is is that the string that openssl is using as the
input for the has is different to what I am using. Is there some way I can see
what its using or am I going in the wrong direction here?
Regards
Ben
