Explain the Certificate Signature Value field of a X509 Digital Certificate
由CA签名的X509数字证书包含这两个字段。1。签名算法2。签名值我知道"签名算法"字段包含CA用来签署证书的哈希算法。"签名值"是根据散列计算的签名。我的问题是散列的数据是什么?它是CSR(证书签名请求)的一部分还是整个CSR的公钥?
构成签名输入的既不是公钥本身,也不是用于请求证书的CSR。根据RFC 5280-Internet X.509公钥基础结构证书和证书吊销列表(CRL)配置文件:
The signatureValue field contains a digital signature computed upon
the ASN.1 DER encoded tbsCertificate. The ASN.1 DER encoded
tbsCertificate is used as the input to the signature function.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 | TBSCertificate ::= SEQUENCE { version [0] EXPLICIT Version DEFAULT v1, serialNumber CertificateSerialNumber, signature AlgorithmIdentifier, issuer Name, validity Validity, subject Name, subjectPublicKeyInfo SubjectPublicKeyInfo, issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL, -- If present, version MUST be v2 or v3 subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL, -- If present, version MUST be v2 or v3 extensions [3] EXPLICIT Extensions OPTIONAL -- If present, version MUST be v3 } |
这个结构的der编码是计算签名的数据。