如何生成CSR的数字签名?

时间:2018-03-10 18:01:14

标签: ssl openssl digital-signature csr

我目前正在了解证书签名请求(csr)的工作原理。我的csr的内容看起来像这样

Size: 2
b'6757'
b'1234'
b'FRIEND'
b'9786'

我想弄清楚的是如何生成签名块(签名算法:sha256WithRSAEncryption)。我的理解是,公钥的哈希是由私钥加密的,即:

openssl req -text -noout -verify -in  bobsbooks.com.csr
verify OK
Certificate Request:
Data:
    Version: 0 (0x0)
    Subject: C=UK, ST=Hampshire, L=Southampton, O=Bob's books Ltd, OU=IT Department, CN=bobsbooks.com/emailAddress=admin@bobsbooks.com
    Subject Public Key Info:
        Public Key Algorithm: rsaEncryption
            Public-Key: (2048 bit)
            Modulus:
                00:94:e6:c2:33:ee:e0:67:c9:aa:e8:ff:82:07:40:
                0e:91:ca:19:ea:b2:98:2a:87:b7:1a:ce:c7:d3:3b:
                e3:a9:39:9d:8d:7f:e6:26:84:70:4a:a8:49:97:e9:
                37:72:07:98:58:77:98:03:a7:fd:0f:9e:0d:7f:f6:
                d7:84:ac:40:79:2b:bd:62:18:da:75:f3:e8:5e:33:
                48:82:e4:c2:91:0b:81:74:11:cd:d4:3c:f2:60:f6:
                de:a2:32:97:fd:8c:73:53:6e:fe:33:6c:28:2b:d0:
                e9:9f:af:dc:b3:c6:30:04:bb:e0:e5:41:d8:4b:78:
                b9:0b:53:b2:32:c4:33:62:e0:11:cc:b7:59:26:96:
                95:82:ca:0e:22:37:70:ca:06:9f:1d:27:41:6d:b4:
                64:c6:1b:09:8e:85:72:e0:72:54:1e:eb:ee:d7:54:
                d6:b9:98:99:61:46:1b:1c:da:2d:35:8a:0a:59:bf:
                fe:e9:bd:92:5b:52:74:44:ab:1d:a0:6c:2d:6d:a2:
                6b:d1:ce:ed:ca:ce:a6:0a:d4:4a:14:22:4c:bb:f9:
                1b:e8:8f:74:32:f2:12:4b:6c:54:e4:35:b0:bf:e1:
                3b:83:f0:57:da:55:be:5e:38:03:c2:2c:36:8c:19:
                e0:e5:af:91:67:38:4d:7a:10:04:3d:e2:72:c9:3e:
                eb:ed
            Exponent: 65537 (0x10001)
    Attributes:
        a0:00
Signature Algorithm: sha256WithRSAEncryption
     67:0a:00:b3:62:36:13:e6:c6:ef:04:10:5b:ec:1f:54:fe:55:
     c1:50:30:bc:ca:ae:c6:61:a4:44:9d:98:d5:9b:84:a0:93:60:
     6b:83:02:62:a3:73:96:10:55:f3:90:9e:85:00:22:78:0a:1f:
     45:1c:d0:e6:03:8a:35:72:ce:44:66:08:19:65:44:d7:12:5d:
     00:0a:b9:db:3b:1f:a7:a6:fa:a9:84:f5:3a:61:5f:14:48:89:
     37:37:b4:b0:1f:51:48:2d:02:6b:f4:ff:6b:4d:d3:56:c5:2e:
     43:46:67:6a:cc:be:07:86:b3:82:12:4c:06:67:33:35:5e:63:
     b0:76:33:13:1f:85:70:d9:b6:1e:b3:76:ee:f3:54:40:09:a8:
     60:bc:35:21:cd:1e:bc:bb:49:c8:10:ae:11:03:c9:d2:fa:7c:
     40:9a:53:08:d6:7e:08:9b:be:43:9a:60:79:25:14:7f:5e:6d:
     81:45:2f:39:89:91:3d:8b:8e:3b:84:9c:50:e4:40:88:e1:82:
     cb:5d:3f:af:13:2c:d0:34:3d:c3:e7:35:11:f3:ac:70:1d:b5:
     2e:ae:d6:35:5c:45:75:5c:b5:81:82:a5:c4:73:4e:8a:09:1f:
     5c:44:b7:73:42:d7:68:a0:e2:30:91:4d:29:04:32:e2:1e:bc:
     12:37:74:00

但是这个输出看起来不像签名。我一定是

1 个答案:

答案 0 :(得分:2)

解决疑问的最佳方法是参考RFC 2986 - PKCS#10 Certification Request Syntax 

CertificationRequest ::= SEQUENCE {
       certificationRequestInfo CertificationRequestInfo,
       signatureAlgorithm AlgorithmIdentifier{{ SignatureAlgorithms }},
       signature          BIT STRING
  }
     

签名过程包括两个步骤:

     
      

  1. certificationRequestInfo组件的值是DER          编码,产生一个八位字符串。

    2.   

  2. 步骤1的结果与认证请求一起签名          指定签名下的主题私钥          算法,产生一个字符串,签名。

    3.   

因此它签署了整个CSR,而不仅仅是公钥。

相关问题
最新问题