All geek questions in one place

Explain the Certificate Signature Value field of the X509 Digital Certificate

The X509 Digital Certificate, signed by the CA, contains these two other fields. 1. Signature Algorithm 2. Signature Value I understand that the "Signature Algorithm" field contains the hash algorithm that CA used to sign the certificate. And "Signature Value" is a signature computed on a hash. My question is, what data is hashed? Is it a public key that is part of the CSR (Request Signing Request) or the entire CSR?

+4
source share
1 answer

It is neither the public key itself, nor the CSR that was used to request the certificate that forms the signature input. According to RFC 5280 - Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) :

The signatureValue field contains the digital signature calculated by ASN.1 DER encodes tbsCertificate. ASN.1 DER encoding tbsCertificate is used as input for the signature function.

Syntax> (tbs = for signing):

TBSCertificate  ::=  SEQUENCE  {
     version         [0]  EXPLICIT Version DEFAULT v1,
     serialNumber         CertificateSerialNumber,
     signature            AlgorithmIdentifier,
     issuer               Name,
     validity             Validity,
     subject              Name,
     subjectPublicKeyInfo SubjectPublicKeyInfo,
     issuerUniqueID  [1]  IMPLICIT UniqueIdentifier OPTIONAL,
                          -- If present, version MUST be v2 or v3
     subjectUniqueID [2]  IMPLICIT UniqueIdentifier OPTIONAL,
                          -- If present, version MUST be v2 or v3
     extensions      [3]  EXPLICIT Extensions OPTIONAL
                          -- If present, version MUST be v3
     }

DER coding of this structure is the data by which the signature is calculated.

+6
source

Source: https://habr.com/ru/post/1583908/

More articles:


All Articles