Manually verifying signature on X.509 certificate

Hi,

I have a self-signed certificate generated by OpenSSL.  I'm using Python
and various libraries (PyCrypto, tlslite) to programmatically access the
certificate.  I'm not having any problems pulling the data out of the
certificate.

Now I want to validate the certificate.  My current understanding, and
please correct me if I'm wrong, is that when the certificate was
generated, its data was hashed and the hash was encrypted with the
private key.  This signature is then tacked on to the end of the data
and the whole bundle of data + signature algorithm identifier +
signature is the certificate.

So to check the signature, it should be as easy as to hash the data,
decrypt the signature with the public key and compare the two.

Is this correct?

I'm having some problems if that's the case.  The biggest problem is
knowing how much of 'the data' to hash.  At the moment I'm taking the
binary blob that is essentially the certificate in DER form and
stripping the signature and signature algorithm from the end of the
blob.  I then hash the blob and compare the hash to the decrypted
signature.  They don't match, so I remove one byte more, compare, and so
on.  I've tried stripping only the signature and systematically removing
more and more, but still no match.

Any suggestions?

Thanks,
Anthony.

--
Anthony Floyd, PhD
Convergent Manufacturing Technologies Inc.
6190 Agronomy Rd, Suite 403
Vancouver BC  V6T 1Z3
CANADA

Email: Anthony.Floyd@... | Tel:   604-822-9682 x102
WWW:   http://www.convergent.ca    | Fax:   604-822-9659  

CMT is hiring: See http://www.convergent.ca for details

 
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@...
Automated List Manager                           majordomo@...

On Thu, May 08, 2008, Anthony Floyd wrote:

To do that properly you do need to at least parse some of the ASN1 data. There
is some header information at the start which contains the SEQUENCE tag+length
bytes.

The actual bit you will hash is in the middle of the data. One SEQUENCE
header is deleted from the start and some data from the ends. If you parse a
few tag+length bytes you can work out how much to hash and the position
and length of the signature.

If you use the asn1parse tool from OpenSSL it will give you lots of useful
info.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@...
Automated List Manager                           majordomo@...

This page is helpful as well:
http://en.wikipedia.org/wiki/X.509

Under "Structure of a certificate", it shows that a certificate consists of
an inner certificate (sometimes called the TBS certificate), followed by the
certificate signature algorithm and the signature itself. The signature is
on the hash of the data in the inner certificate object (not include its
type and length bytes).

DS


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@...
Automated List Manager                           majordomo@...

Thanks, I've been using that page pretty extensively as a reference too
and I have to say that it is definitely one of the clearest explanations
I've seen.  I think that my problem has been that I've been including
the outer type and length bytes when I hash the 'data'.  The WP page
implies that, but in the addled state that my brain's been in for the
past day or two while looking at all the RFCs, commentaries, and so on,
I overlooked it.

Thanks,
Anthony.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@...
Automated List Manager                           majordomo@...

> To do that properly you do need to at least parse some of the
> ASN1 data. There
> is some header information at the start which contains the
> SEQUENCE tag+length
> bytes.

Right.  This isn't a problem, as I've been pulling the data out by
parsing the ASN.1 data anyway.
 
> The actual bit you will hash is in the middle of the data.
> One SEQUENCE
> header is deleted from the start and some data from the ends.
> If you parse a
> few tag+length bytes you can work out how much to hash and
> the position
> and length of the signature.

Actually, I already have the signature.  But what I don't quite grok is
how the signature was generated.

I've been using http://rfc-ref.org/RFC-TEXTS/3280/chapter12.html#sub3 as
a guide to parsing the ASN.1 data.  When I look at that example
(12.3.C.3) I see an encapsulating SEQUENCE that contains a SEQUENCE that
contains all the certificate data, a SEQUENCE that identifies the
signature's hash/encryption algorithm, and then a BIT STRING with the
actual signature.

To generate the signature, has that first embedded SEQUENCE (the one
that contains the certificate data) been hashed entirely?  Including the
tag and length fields?  Or has some subset of that been hashed?  I
assume that the SEQUENCE with the hash/encryption algorithm is omitted
and clearly the signature isn't included.  Is there anything else
omitted?

Thanks for your help,
Anthony.

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@...
Automated List Manager                           majordomo@...

On Fri, May 09, 2008, Anthony Floyd wrote:

> To generate the signature, has that first embedded SEQUENCE (the one
> that contains the certificate data) been hashed entirely?  Including the
> tag and length fields?  Or has some subset of that been hashed?  I
> assume that the SEQUENCE with the hash/encryption algorithm is omitted
> and clearly the signature isn't included.  Is there anything else
> omitted?

Well the first embedded SEQUENCE is the tbsCertificate data. You need to hash
all of that including the SEQUENCE tag+length bytes.

From the top you skip the first SEQUENCE tag+length and hash the second one.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@...
Automated List Manager                           majordomo@...

On Fri, May 09, 2008, Anthony Floyd wrote:

> To generate the signature, has that first embedded SEQUENCE (the one
> that contains the certificate data) been hashed entirely?  Including the
> tag and length fields?  Or has some subset of that been hashed?  I
> assume that the SEQUENCE with the hash/encryption algorithm is omitted
> and clearly the signature isn't included.  Is there anything else
> omitted?
>

There is an example here:

http://www.openssl.org/docs/apps/rsautl.html#EXAMPLES

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@...
Automated List Manager                           majordomo@...

> There is an example here:
>
> http://www.openssl.org/docs/apps/rsautl.html#EXAMPLES
>

Awesome, that is exactly what I'm looking for.  

Thanks!
Anthony.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@...
Automated List Manager                           majordomo@...

> Well the first embedded SEQUENCE is the tbsCertificate data. You
> need to hash
> all of that including the SEQUENCE tag+length bytes.

This is correct. My previous statement that you don't include the tag and
length bytes was incorrect. Sorry.

DS



______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@...
Automated List Manager                           majordomo@...