2013/5/10 Cristian Thiago Moecke <cont...@cristiantm.com.br> > You have two ways to follow. > > 2) In some situations that is not possible (e.g. you need it to be signed > on a different remote system). And I just had the same need this week, but > for Certificate Requests. There are a lot of small non-documented things to > do in this case but basically you need to: > a) get the der encoded value of tbsCertificate field > b) hash it > c) apply pkcs1 padding and sign it > d) put the signature on asn1 form > e) add NIDs and other parameters to the cert_info field you identified. > I spent a lot of time learning from forums and openssl code (X509_REQ_sign > and functions it calls in my case) what I need to do. If you can, go for > option 1). If nto I may help you more later with 2) >
This could also be handled by some sort of engine that would work in two modes: * generate an intermediate result (hash) that can be processed (signed) at the remote site (how to get it there securely is another issue) * apply processed result (signature) to the remaining part of the signing process Kris > > On Thu, May 9, 2013 at 7:13 PM, Ken Goldman <kgold...@us.ibm.com> wrote: > >> I have a need to sign an X509 certificate outside openssl, using a >> hardware security module. >> >> 1 - I have to first hash the certificate. >> >> I discovered X509_digest(), which is not documented. Is it the correct >> function? >> >> I also found ASN1_item_i2d() to serialize the cert_info member, from >> which point I can hash. Opinions? >> >> >> >> 2 - I have to apply the resulting signature and algorithm to the >> certificate. >> >> I have some sample code which assigns values to the low level X509 >> structure. >> >> E.g., >> >> x509->cert_info->signature_**algorithm = Obj_nid2obj(NID_** >> sha1WithRSAEncryption); >> >> Is that the only way, or is there a higher level call to add the >> algorithm ID in both places and the signature in one call? >> >> >> >> >> >> ______________________________**______________________________** >> __________ >> OpenSSL Project http://www.openssl.org >> User Support Mailing List openssl-users@openssl.org >> Automated List Manager majord...@openssl.org >> > > > > -- > -- > Cristian Thiago Moecke >
