Generate Subject Hash of X509Certificate in Java -
i'm trying generate subject hash using java security api , bouncycastle.
here's do, when use openssl library:
openssl x509 -in /users/sn0wfreezedev/downloads/test.pem -hash
this generates short 8 digit hash 1817886a
this java code
x509certificate cert = certmanager.getcertificate(number, c); messagedigest sha1 = messagedigest.getinstance("sha1"); system.out.println(" subject " + cert.getsubjectdn()); system.out.println(" issuer " + cert.getissuerdn()); sha1.update(cert.getsubjectdn().getname().getbytes()); string hexstring = bytestohex(sha1.digest()); system.out.println(" sha1 " + hexstring); system.out.println();
this generates short 8 digit hash 1817886a
there 2 forms of openssl:
$ cd openssl-1.0.2-src $ grep -r x509_subject_name_hash * ... crypto/x509/x509.h:unsigned long x509_subject_name_hash(x509 *x); crypto/x509/x509.h:unsigned long x509_subject_name_hash_old(x509 *x); crypto/x509/x509_cmp.c:unsigned long x509_subject_name_hash(x509 *x) crypto/x509/x509_cmp.c:unsigned long x509_subject_name_hash_old(x509 *x) ...
generate subject hash of x509certificate in java...
here source them crypto/x509/x509_cmp.c
:
unsigned long x509_subject_name_hash(x509 *x) { return (x509_name_hash(x->cert_info->subject)); } #ifndef openssl_no_md5 unsigned long x509_subject_name_hash_old(x509 *x) { return (x509_name_hash_old(x->cert_info->subject)); } #endif
and finally:
unsigned long x509_name_hash(x509_name *x) { unsigned long ret = 0; unsigned char md[sha_digest_length]; /* make sure x509_name structure contains valid cached encoding */ i2d_x509_name(x, null); if (!evp_digest(x->canon_enc, x->canon_enclen, md, null, evp_sha1(), null)) return 0; ret = (((unsigned long)md[0]) | ((unsigned long)md[1] << 8l) | ((unsigned long)md[2] << 16l) | ((unsigned long)md[3] << 24l) ) & 0xffffffffl; return (ret); } #ifndef openssl_no_md5 unsigned long x509_name_hash_old(x509_name *x) { evp_md_ctx md_ctx; unsigned long ret = 0; unsigned char md[16]; /* make sure x509_name structure contains valid cached encoding */ i2d_x509_name(x, null); evp_md_ctx_init(&md_ctx); evp_md_ctx_set_flags(&md_ctx, evp_md_ctx_flag_non_fips_allow); if (evp_digestinit_ex(&md_ctx, evp_md5(), null) && evp_digestupdate(&md_ctx, x->bytes->data, x->bytes->length) && evp_digestfinal_ex(&md_ctx, md, null)) ret = (((unsigned long)md[0]) | ((unsigned long)md[1] << 8l) | ((unsigned long)md[2] << 16l) | ((unsigned long)md[3] << 24l) ) & 0xffffffffl; evp_md_ctx_cleanup(&md_ctx); return (ret); } #endif
i2d_x509_name
encodes x509_name
standard representation using rfc 2459 (and elsewhere). used, example, in certificate subject , issuer names.
you can see openssl uses name string commands openssl x509 -in <cert> -text -noout
. similar c=us, st=california, l=mountain view, o=google inc, cn=www.google.com
(taken google certificate).
generate subject hash of x509certificate in java...
in big picture, generating hash of subject's distinguished name string , returning unsigned long. unsigned long truncated hash.
x509_subject_name_hash
uses sha-1, , x509_subject_name_hash_old
uses md5.
(comment) ... how can use sha1 hash generate short hash
openssl provides hex encoding of truncated hash. whole hash in md
. md
16 bytes (md5) or 20 bytes (sha-1).
the truncation occurs selection of bytes [0,3]
, bit operations on md[0]
, md[1]
, md[2]
, md[3]
.
the 8 digits comes hex encoding 4 bytes.
Comments
Post a Comment