I'm trying to perform the fingerprint of a TBSCertificate in order to sign it and insert it in a x509 certificate. I can't find any tool or library that allow me to do it separately.
I can create a x509 certificate and perform the signature like with openssl or many libraries but it will be included directly into the certificate, and I need to modify the signature before including it.
Do you know anyone?
I finally managed to do it using the pyasn1 library for python.
In case someone need it in the future, here you have a conversation in the pyasn1 mailing talking about it:
https://sourceforge.net/p/pyasn1/mailman/message/34523982/
and my personal solution:
from M2Crypto import X509, EC, EVP
from hashlib import sha256
from pyasn1_modules.rfc2314 import Signature
from pyasn1_modules.rfc2459 import Certificate
from pyasn1.codec.der import encoder, decoder
csr = "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNyakNDQVpZQ0FRQXdEUVlKS29aSWh2Y05BUUVMQlFBd2dZWXhDekFKQmdOVkJBWVRBa05VTVJJd0VBWUQKVlFRSURBbENZWEpqWld4dmJtRXhFekFSQmdOVkJBY01Da0psYkd4aGRHVnljbUV4RVRBUEJnTlZCQW9NQ0ZCaAplVk5sYm5ObE1Rd3dDZ1lEVlFRTERBTkJRMEV4RERBS0JnTlZCQU1NQTBGRFFURWZNQjBHQ1NxR1NJYjNEUUVKCkFSWVFZV05oUUdSbGFXTXVkV0ZpTG1OaGREQWVGdzB4TlRFd01EZ3dPVFF4TURKYUZ3MHhOakV3TURjd09UUXgKTURKYU1JR0FNUXN3Q1FZRFZRUUdFd0pEVkRFU01CQUdBMVVFQ0F3SlFtRnlZMlZzYjI1aE1STXdFUVlEVlFRSApEQXBDWld4c1lYUmxjbkpoTVF3d0NnWURWUVFLREFOVlFVSXhEVEFMQmdOVkJBc01CRVJGU1VNeEt6QXBCZ05WCkJBTU1JbTF0VjFGVlFsbFpWMVJ2V2xwTmNIYzBjR0ZXVG5NeVRXNXZTbE5oUlZkUmVua3dWakFRQmdjcWhrak8KUFFJQkJnVXJnUVFBQ2dOQ0FBUjVJTWU2aDJwUlpwM201b25VcWloeGwyNkFIQjhMR01WZCtMWUNFTUl4V2U1ZQpySVJmcDA5bHNPUjB3L1B3T3N0bzRXSWFYOXFPSnBTb2JwZFlYRnJaTUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCCkFRQXdHZVl3bkM5MmErR1g3VXE4N1k5Z3hXdFVKUWZiUlRwbXdCV1NPdmNlS3Z2Ky9zV3o5VFRqSGRKbElqVnYKbkQ5RHY5aHVlQUVONkE3Sm43SE80ZDhwelJ2d3pQSU5peXN4TUlzaWsxbldpTTRieTBLSDh4bE5SZEFoc3ZZTApVQ3hLSXVGMm1sUytJRGVtMUQyZE96L3ZFZlcrZVE4NVhsSVRycExpMFZlY3d5NnhwejNMN2R2SEdTOFJ1aVlyCkxkS1J3VnVGYmI4QmRHdVJ3dHgwNCtEeGJFKzlUb3hHSmFiM1VaV1loV3ByekcyS2owV0pORW44UlBwWXJjb2sKY3lBSTh4OFh0TDUrZUs5aklpV1NlcHIzcU9Zc3V6V2NqZ2VIeUdCUHNqN1lRQ2ZuWVFTbHBJMzJHRnZ5YWRmTApmRmZXSExxZE9nQmVET2JwenlaVDlyazkKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=="
cert = X509.load_cert_string(b64decode(csr))
ca_pkey = EVP.load_key(ACA_KEY)
asn1_cert = decoder.decode(cert.as_der(), asn1Spec=Certificate())[0]
tbs = asn1_cert.getComponentByName("tbsCertificate")
tbs_der = encoder.encode(tbs)
digest = sha256()
digest.update(tbs_der)
signature = ca_pkey.get_rsa().sign(digest.digest(), "sha256")
# Take the raw signature and turn it into a BitString representations (special thanks to Alex <[email protected]>)
bin_signature = Signature("'%s'H" % ''.join("%02X" % ord(c) for c in signature))
asn1_cert.setComponentByName("signatureValue", bin_signature)
# Check that both certificates matches
cert.sign(ca_pkey, md='sha256')
print cert.as_text()
print encoder.encode(asn1_cert) == cert.as_der()
The initial csr is a base64 encoded X509 Certificate in BER.
Is important to stress the csr already contains the proper Signature Algorithm.