Hi,
W dniu 24.04.2013 17:36, Dr. Stephen Henson pisze:
On Mon, Apr 22, 2013, Krzysztof Benedyczak wrote:
Hi Openssl Developers,
Since openssl 1.0.0 a new subject hash is used, i.e. the output of the
openssl x509 -subject_hash ...
has changed. The old one was quite easy to decipher and commonly
known (part of the MD5 hash of the bin form of the subject name).
Now AFAIU MD5 has been changed do SHA1, but it seems that there are
also other modifications (some normalization? or?).
Is it possible to get a precise information how openssl generate the
the aforementioned subject hash? I can try to infer it from source
of course, but having an algorithm description would be of great
help.
I was trying to find some information on the topic but no luck. The
reason for the question is that in Java software I need to support
openssl-like certificates trust store.
It's a bit complex and you need to be able to decode and reencode the Name
structure to duplicate this.
The function x509_name_canon performs the reencoding this is in
crypto/asn1/x_name.c:
/* This function generates the canonical encoding of the Name structure.
* In it all strings are converted to UTF8, leading, trailing and
* multiple spaces collapsed, converted to lower case and the leading
* SEQUENCE header removed.
*
This encoding is then used to perform the hash using SHA1 in a similar way to
the old algorithm (see X509_NAME_hash function in crypto/x509/x509_cmp.c).
Thanks a lot for the answer. I've tried it on a simple DN and I was able
to reproduce the same hash as is outputted by Openssl.
However I have some general doubts regarding the algorithm:
-) what about multi-valued RDNs? According to RFC their order is
irrelevant. Do you somehow sort them for the c19 form?
-) what is the definition of the 'string' above? TeletexString,
PrintableString, UTF8String, BMPString? More or less?
Thanks again,
Krzysztof
__
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majord...@openssl.org
