RGD:how to extract public key from x509 certificate version 1
87 views
Skip to first unread message
ngn
May 11, 2012, 5:23:09 AM5/11/12
to cryptop...@googlegroups.com
in program -
BERGeneralDecoder context(tbsCert,0x02); // consume the context tag on the
version
word32 ver;
BERDecodeUnsigned<word32>(context,ver,BOOLEAN,0,2); // only want a v1 cert
but i am not able to understand in BERGeneralDecoder 's constructor
(context) 's second argument i.e. asnTag what it tells.
and what is value of asnTag for version 1 . i know for version 3 is 0xa0.
in BERDecodeUnsigned 's constructor what should i pass in 3rd ,4th ,5th
argument .and what are the significance of these argument.
please reply as soon as possible.
--
View this message in context: http://old.nabble.com/RGD%3Ahow-to-extract-public-key-from-x509-certificate--version-1-tp33774365p33774365.html
Sent from the Crypto++ Users mailing list archive at Nabble.com.
Geoff Beier
May 11, 2012, 9:08:31 AM5/11/12
to ngn, cryptop...@googlegroups.com
Isn't version defaulted to 1 in the ASN.1 module? (I didn't go grab it
to look, but I'm nearly certain it is.) In that case, it'd be omitted.
Geoff
> --
> You received this message because you are subscribed to the "Crypto++ Users" Google Group.
> To unsubscribe, send an email to cryptopp-user...@googlegroups.com.
> More information about Crypto++ and this group is available at http://www.cryptopp.com.
to look, but I'm nearly certain it is.) In that case, it'd be omitted.
Geoff
> You received this message because you are subscribed to the "Crypto++ Users" Google Group.
> To unsubscribe, send an email to cryptopp-user...@googlegroups.com.
> More information about Crypto++ and this group is available at http://www.cryptopp.com.
Geoff Beier
May 28, 2012, 7:24:04 AM5/28/12
to neha gupta, Crypto++ Users
(Now that I've seen your certificate, going back on-list for the sake
of the archives :-) )
Certificate is a sequence:
Certificate ::= SEQUENCE {
tbsCertificate TBSCertificate,
signatureAlgorithm AlgorithmIdentifier,
signature BIT STRING }
The first field, tbsCertificate is also a sequence:
TBSCertificate ::= SEQUENCE {
version [0] Version DEFAULT v1,
serialNumber CertificateSerialNumber,
signature AlgorithmIdentifier,
issuer Name,
validity Validity,
subject Name,
subjectPublicKeyInfo SubjectPublicKeyInfo,
issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL,
-- If present, version MUST be v2 or v3
subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL,
-- If present, version MUST be v2 or v3
extensions [3] Extensions OPTIONAL
-- If present, version MUST be v3 -- }
Version ::= INTEGER { v1(0), v2(1), v3(2) }
In TBSCertificate, the first field is version. Since that has a
default value of v1, if the version is v1 a BER encoder may or may not
include it in the encoded structure. A DER encoder must not include it
in the structure. The way you can tell whether or not version is
present is by looking for the context tag, [0].
In the cert you sent, I see:
0 1332: SEQUENCE {
4 796: . SEQUENCE {
8 1: . . INTEGER 1
11 13: . . SEQUENCE {
13 9: . . . OBJECT IDENTIFIER sha1withRSAEncryption (1 2 840 113549 1 1 5)
: . . . . (PKCS #1)
24 0: . . . NULL
: . . . }
Note the absence of a tagged integer at the beginning. That means
there's no version field to read and your decoder must assume it's a
v1 cert.
HTH,
Geoff
of the archives :-) )
Certificate is a sequence:
Certificate ::= SEQUENCE {
tbsCertificate TBSCertificate,
signatureAlgorithm AlgorithmIdentifier,
signature BIT STRING }
The first field, tbsCertificate is also a sequence:
TBSCertificate ::= SEQUENCE {
version [0] Version DEFAULT v1,
serialNumber CertificateSerialNumber,
signature AlgorithmIdentifier,
issuer Name,
validity Validity,
subject Name,
subjectPublicKeyInfo SubjectPublicKeyInfo,
issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL,
-- If present, version MUST be v2 or v3
subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL,
-- If present, version MUST be v2 or v3
extensions [3] Extensions OPTIONAL
-- If present, version MUST be v3 -- }
Version ::= INTEGER { v1(0), v2(1), v3(2) }
In TBSCertificate, the first field is version. Since that has a
default value of v1, if the version is v1 a BER encoder may or may not
include it in the encoded structure. A DER encoder must not include it
in the structure. The way you can tell whether or not version is
present is by looking for the context tag, [0].
In the cert you sent, I see:
0 1332: SEQUENCE {
4 796: . SEQUENCE {
8 1: . . INTEGER 1
11 13: . . SEQUENCE {
13 9: . . . OBJECT IDENTIFIER sha1withRSAEncryption (1 2 840 113549 1 1 5)
: . . . . (PKCS #1)
24 0: . . . NULL
: . . . }
Note the absence of a tagged integer at the beginning. That means
there's no version field to read and your decoder must assume it's a
v1 cert.
HTH,
Geoff
Krivak
Jun 6, 2012, 7:39:32 AM6/6/12
to cryptop...@googlegroups.com
Hi,
have you already succeeded to extract public key from x509 certificate? I
have just a similar problem. Please could you show me a piece of code with
your solution? Thanks in advace.
Krivak
ngn wrote:
>
> in program -
>
> BERGeneralDecoder context(tbsCert,0x02); // consume the context tag on
> the version
>
> word32 ver;
>
> BERDecodeUnsigned<word32>(context,ver,BOOLEAN,0,2); // only want a v1
> cert
>
> but i am not able to understand in BERGeneralDecoder 's constructor
> (context) 's second argument i.e. asnTag what it tells.
> and what is value of asnTag for version 1 . i know for version 3 is 0xa0.
>
> in BERDecodeUnsigned 's constructor what should i pass in 3rd ,4th ,5th
> argument .
> please reply as soon as possible.
>
--
View this message in context: http://old.nabble.com/RGD%3Ahow-to-extract-public-key-from-x509-certificate--version-1-tp33774365p33969404.html
> please reply as soon as possible.
>
--
Reply all
Reply to author
Forward
0 new messages