> 2) In some situations that is not possible (e.g. you need it to be >> signed on a different remote system). And I just had the same need this >> week, but for Certificate Requests. There are a lot of small >> non-documented things to do in this case but basically you need to: >> a) get the der encoded value of tbsCertificate field >> b) hash it >> c) apply pkcs1 padding and sign it >> d) put the signature on asn1 form >> e) add NIDs and other parameters to the cert_info field you identified. >> I spent a lot of time learning from forums and openssl code >> (X509_REQ_sign and functions it calls in my case) what I need to do. If >> you can, go for option 1). If nto I may help you more later with 2) >> > > Yes, your flow is the same as mine. I'm looking for advice on the C > function calls. Specifically, > > Is X509_digest() useful for a) and b)? >
I dont think so. Im almost sure that this funcion will digest the full certificate (aka certificate fingerprint). Must check... I used the following function for X509_REQ. Hope it helps you to find what you need for X509. i2d_X509_REQ_INFO(x509req->req_info,NULL); // note http://www.openssl.org/support/faq.html#PROG3 when using this function > > Is there a high level call for d) and e) or must I do it using the ASN.1 > API? > For that Ive used: ASN1_BIT_STRING_set(x509req->signature,signatureByteArray,signatureSize) x509req->signature->flags &= ~(ASN1_STRING_FLAG_BITS_LEFT|0x07); x509req->signature->flags |= ASN1_STRING_FLAG_BITS_LEFT; x509req->sig_alg->algorithm = OBJ_nid2obj(nid); x509req->sig_alg->parameter = ASN1_TYPE_new(); //works for RSA... if you need ECDSA, need to check this x509req->sig_alg->parameter->type = V_ASN1_NULL; Hope that helps. > > (My HSM does c) and I know how to prepend the OID.) > > > ______________________________**______________________________**__________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org > -- -- Cristian Thiago Moecke