Hi,

I want to generate sha256 hash using X509 certificate information. But I do not know the order of input parameters.

ex:

serial : 014B30351483
crypto algorithm : 2A864886F70D01010B
CA name : 53494C564552
etc..

serial + crypto algorithm + CA name +... ==> sha256 hash value

To Generate a hash value I think I have to concatenate each attributes in a spessific order. But I do not know the attributes order for generate hash value. Can anyone explain this to me? Actually I do not know the process for this.

Thank you.

I don't think (I could be wrong) that you are asking the correct question. Are you trying to work out how to digitally sign an XML document using an X.509 certificate by any chance? In which case you don't generate a hash of the X.509 certificate, you use the X.509 certificate to generate a hash of a portion of the XML document. There are different ways to achieve this. I use a library to do this.

Hi,

Thank you for the reply. Actually I have to use a X509 certificate and a Desfire SAM for verify the certificates signature. In that case back-end server gives me a certificate and I have to verify it's signature using a SAM. In SAM side I have to send plain hash and the received signature for signature verification. SAM can not process any kind of certificates directly. So I have to generate the hash manually and give it into SAM with the signature for signature verification. Any idea?

Well normally when you sign a document like an xml document you embed part of the certificate within the xml document and then before you generate a hash over a specific part of the xml you canonicalise the xml. So, you could try canonicalising the certificate and then generating the hash from the certificate. Do you have a way of verifying that your hash is correct?

Hi,

Yes I have a method to verify the signature. I have to send " hash + signature " into SAM then the SAM will return the verification status of the signature.

Hi,

I solved my problem. In certificate there is a section call " tbsCertificate ". Using this " tbsCertificate " section we have to generate the hash value. Before encrypt the sha value we have to encode it into a " ASN1 " format. Then we can encrypt the whole data block. Now you have your signature.

Ex:

sample cerificate in hex format :

"3082016B3081D50206014B3AA25445300D06092A864886F70D01010B0500301E310F300D0603550403130653494C564552310B3009060355040613024C4B301E170D3135303132383131333735335A170D3135303533303131333735335A301E310F300D0603550403130653494C564552310B3009060355040613024C4B305C300D06092A864886F70D0101010500034B00304802410089D1AD43B55CF90D844A602CAB0BAE39C60B99349B715E48E8861879916ED8561CC5CFF91EAAB9020BD665822A71139033A64B74E161F9C7EB9DF1ACD0EAEBEF0203010001300D06092A864886F70D01010B0500038181007C52F7C8CA8520552E48BA9F6339DB764DE1D5EF37D70EF9C43AC8182FDC1C91E979D9272ABA85F5BE538E90946871FC714F2A1072B7013739A0F94F9282416BA1AF571E5518F86EBE476E150773B09BE1B44FD5A633571BB35E649C4D1DE3E62E35F54B9D8303438845AF9FD4BE193BC2C57DC30B110B9EB4A95E23FC314899"

tbsCertificate block :

"3081D50206014B3AA25445300D06092A864886F70D01010B0500301E310F300D0603550403130653494C564552310B3009060355040613024C4B301E170D3135303132383131333735335A170D3135303533303131333735335A301E310F300D0603550403130653494C564552310B3009060355040613024C4B305C300D06092A864886F70D0101010500034B00304802410089D1AD43B55CF90D844A602CAB0BAE39C60B99349B715E48E8861879916ED8561CC5CFF91EAAB9020BD665822A71139033A64B74E161F9C7EB9DF1ACD0EAEBEF0203010001"

http://www.ietf.org/rfc/rfc3280.txt

Thank you.