Generate Subject Hash of X509Certificate in Java -


i'm trying generate subject hash using java security api , bouncycastle.

here's do, when use openssl library:

openssl x509 -in  /users/sn0wfreezedev/downloads/test.pem -hash 

this generates short 8 digit hash 1817886a

this java code

x509certificate cert = certmanager.getcertificate(number, c);   messagedigest sha1 = messagedigest.getinstance("sha1"); system.out.println("  subject " + cert.getsubjectdn()); system.out.println("   issuer  " + cert.getissuerdn()); sha1.update(cert.getsubjectdn().getname().getbytes()); string hexstring =  bytestohex(sha1.digest()); system.out.println("   sha1    " + hexstring); system.out.println(); 

this generates short 8 digit hash 1817886a

there 2 forms of openssl:

$ cd openssl-1.0.2-src $ grep -r x509_subject_name_hash * ... crypto/x509/x509.h:unsigned long x509_subject_name_hash(x509 *x); crypto/x509/x509.h:unsigned long x509_subject_name_hash_old(x509 *x); crypto/x509/x509_cmp.c:unsigned long x509_subject_name_hash(x509 *x) crypto/x509/x509_cmp.c:unsigned long x509_subject_name_hash_old(x509 *x) ... 

generate subject hash of x509certificate in java...

here source them crypto/x509/x509_cmp.c:

unsigned long x509_subject_name_hash(x509 *x) {     return (x509_name_hash(x->cert_info->subject)); }  #ifndef openssl_no_md5 unsigned long x509_subject_name_hash_old(x509 *x) {     return (x509_name_hash_old(x->cert_info->subject)); } #endif 

and finally:

unsigned long x509_name_hash(x509_name *x) {     unsigned long ret = 0;     unsigned char md[sha_digest_length];      /* make sure x509_name structure contains valid cached encoding */     i2d_x509_name(x, null);     if (!evp_digest(x->canon_enc, x->canon_enclen, md, null, evp_sha1(),                     null))         return 0;      ret = (((unsigned long)md[0]) | ((unsigned long)md[1] << 8l) |            ((unsigned long)md[2] << 16l) | ((unsigned long)md[3] << 24l)         ) & 0xffffffffl;     return (ret); }  #ifndef openssl_no_md5 unsigned long x509_name_hash_old(x509_name *x) {     evp_md_ctx md_ctx;     unsigned long ret = 0;     unsigned char md[16];      /* make sure x509_name structure contains valid cached encoding */     i2d_x509_name(x, null);     evp_md_ctx_init(&md_ctx);     evp_md_ctx_set_flags(&md_ctx, evp_md_ctx_flag_non_fips_allow);     if (evp_digestinit_ex(&md_ctx, evp_md5(), null)         && evp_digestupdate(&md_ctx, x->bytes->data, x->bytes->length)         && evp_digestfinal_ex(&md_ctx, md, null))         ret = (((unsigned long)md[0]) | ((unsigned long)md[1] << 8l) |                ((unsigned long)md[2] << 16l) | ((unsigned long)md[3] << 24l)             ) & 0xffffffffl;     evp_md_ctx_cleanup(&md_ctx);      return (ret); } #endif 

i2d_x509_name encodes x509_name standard representation using rfc 2459 (and elsewhere). used, example, in certificate subject , issuer names.

you can see openssl uses name string commands openssl x509 -in <cert> -text -noout. similar c=us, st=california, l=mountain view, o=google inc, cn=www.google.com (taken google certificate).


generate subject hash of x509certificate in java...

in big picture, generating hash of subject's distinguished name string , returning unsigned long. unsigned long truncated hash.

x509_subject_name_hash uses sha-1, , x509_subject_name_hash_old uses md5.


(comment) ... how can use sha1 hash generate short hash

openssl provides hex encoding of truncated hash. whole hash in md. md 16 bytes (md5) or 20 bytes (sha-1).

the truncation occurs selection of bytes [0,3] , bit operations on md[0], md[1], md[2] , md[3].

the 8 digits comes hex encoding 4 bytes.


Comments

Popular posts from this blog

c++ - Difference between pre and post decrement in recursive function argument -

php - Nothing but 'run(); ' when browsing to my local project, how do I fix this? -

php - How can I echo out this array? -