digital-signature – 解释X509数字证书的证书签名值字段

由CA签名的X509数字证书包含这两个字段.
1.签名算法
2.签名价值
据我所知,“签名算法”字段包含CA用于签署证书的哈希算法.并且“签名值”是在散列上计算的签名.
我的问题是什么是散列的数据?它是CSR(证书签名请求)或整个CSR的公钥吗?
最佳答案
它既不是公钥,也不是用于请求证书的CSR,它构成了签名输入.
根据RFC 5280 – Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile

The signatureValue field contains a digital signature computed upon
the ASN.1 DER encoded tbsCertificate. The ASN.1 DER encoded
tbsCertificate is used as the input to the signature function.

syntax of tbsCertificate(tbs =待签署)是:

TBSCertificate  ::=  SEQUENCE  {
     version         [0]  EXPLICIT Version DEFAULT v1,
     serialNumber         CertificateSerialNumber,
     signature            AlgorithmIdentifier,
     issuer               Name,
     validity             Validity,
     subject              Name,
     subjectPublicKeyInfo SubjectPublicKeyInfo,
     issuerUniqueID  [1]  IMPLICIT UniqueIdentifier OPTIONAL,
                          -- If present, version MUST be v2 or v3
     subjectUniqueID [2]  IMPLICIT UniqueIdentifier OPTIONAL,
                          -- If present, version MUST be v2 or v3
     extensions      [3]  EXPLICIT Extensions OPTIONAL
                          -- If present, version MUST be v3
     }

此结构的DER编码是计算签名的数据.

转载注明原文:digital-signature – 解释X509数字证书的证书签名值字段 - 代码日志