Is there a better (more reliable or standard) way to script the extraction of a signature of a signed x.509 certificate:
SIGNED_CERTIFICATE=/path/to/signed/x509-cert.pem
openssl x509 -in ${SIGNED_CERTIFICATE} -text -noout | tac | sed '/.*Signature Algorithm:/q' | tac
I am looking for the hexdump of the signature for use in a bash script. Currently this works on all (but few) signed certs I tested but relies on the signature being the last thing outputted in openssl x509
. I also know how to manually use openssl asn1parse
to extract this, but it requires you to look at the output and is harder to automate.
Thanks
Are you after something like this :
openssl x509 -in /usr/local/share/ca-certificates/TestCA.crt -text -noout -certopt ca_default -certopt no_validity -certopt no_serial -certopt no_subject -certopt no_extensions -certopt no_signame
Signature Algorithm: sha1WithRSAEncryption
6d:94:92:e0:e4:a4:f4:65:aa:e3:cc:1b:9f:2a:01:b0:20:cf:
67:5a:58:cf:aa:d9:99:08:07:91:9a:0b:b6:2b:52:9d:f0:e5:
0d:50:cb:66:8c:a6:93:21:36:11:c7:30:98:45:65:43:e1:54:
a5:22:0bxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx1e:05:
0e:e3:10:01:73:06:5b:98:f5:e8:6d:73:a5:65:8d:3d:48:b0:
21:4a:30:9f:7c:7d:99:d0:e7:c1:cc:22:fa:c4:fc:9c:48:3f:
ff:83:72:98:d0:33:3b:05:69:84:fd:7b:bc:b8:e6:44:96:cf:
58:27:4c:c3:d1:9d:c1:f1:02:f8:3c:11:92:fe:fa:c1:ff:48:
cf:a8:e9:xxxxxxxxxxxxxxxxxxxxxxxxxxxxx:9b:b0:4f:c2:ca:
28:5b:13:c2:1d:c9:79:7a:71:4c:9c:4a:f5:26:60:6d:75:3f:
00:31:57:8f:00:99:ca:93:52:5d:fc:dd:71:76:1b:22:61:4b:
5f:29:f6:77:fd:f0:e5:20:dc:fd:e1:d5:d2:05:a3:3f:96:2c:
d9:cc:d9:87:9c:7b:16:c8:4f:2c:2e:b6:dd:bd:e5:9b:d7:97:
c5:b0:31:19:69:a7:f8:f9:3e:b2:0b:3d:b0:13:68:a1:1d:ee:
e3:86:60:77
Giving the proper arguments to openssl x509
sounds a better way to achieve what you're after. All options are in the TEXT section of the x509 manpage