openssl hash value - how to generate ?

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

openssl hash value - how to generate ?

Ben Burrows
Hi,

I am trying to (independantly of openssl) generate the hash for a certificate (the short string
that would be used as the symlink name in the openssl/certs directory).
eg, this command
openssl x509 -in CERT.pem -noout -hash
I am trying to do this because I wanted to know how openssl was calculating this.

At the bottom of the man page for x509 it states the following:
The hash algorithm used in the -subject_hash and -issuer_hash options before OpenSSL 1.0.0 was based on the deprecated MD5
algorithm and the encoding of the distinguished name. In OpenSSL 1.0.0 and later it is based on a canonical version of the DN
using SHA1.

Thats a great start but not enough detail to let me generate this myself.
Since I know the hash uses sha1 I should be able to generate the hash with "shasum" passing in the correct data. And there is the issue. All the conbinations of data I have passed in give me a different hash to what openssl generates. Its much longer but I beleive that is because openssl just chops everything past 8 chars off.
Since the man page says its a hash of the DN (subject) I tried passing in the subject (in the various formats available from openssl)

openssl x509 -noout -in CERT.pem -text | grep Subject:
        Subject: C=GB, O=My Company, OU=My Department, CN=MyName

openssl x509 -in CERT.pem -noout -subject
subject= /C=GB/O=My Company/OU=My Department/CN=MyName

openssl x509 -in CERT.pem -noout -subject -nameopt RFC2253
subject= CN=MyName,OU=My Department,O=My Company,C=GB

I then feed that into shasum like so (showing just one of the 6 combinations. I tried the subject for the three variations with and without the "subject= " or "Subject: " prefix)

printf "CN=MyName,OU=My Department,O=My Company,C=GB" | shasum
6a73b8417b2f51195e1d0bcee3c2adbc1fb73124  -

I tried looking at the code but I am not really a coder and definately not a C/C++ one and I was getting rather out of my depth trying to follow it.

What I THINK my problem is is that the string that openssl is using as the input for the has is different to what I am using. Is there some way I can see what its using or am I going in the wrong direction here?

Regards
Ben
Reply | Threaded
Open this post in threaded view
|

Re: openssl hash value - how to generate ?

OpenSSL - User mailing list
>    At the bottom of the man page for x509 it states the following:
    The hash algorithm used in the -subject_hash and -issuer_hash options before OpenSSL 1.0.0 was based on the deprecated MD5
    algorithm and the encoding of the distinguished name. In OpenSSL 1.0.0 and later it is based on a canonical version of the DN
    using SHA1.

The text isn't great.  In both cases the printed form is not what is used. Instead, by "canonical form" is meant the X.509 ASN1/DER encoding.

Your guess -- "I think I'm using a different string" -- is correct.