Certificate Request Info on a PKCS#10 to be signed
Question
I'm doing a code that has to create a PKCS#10. To do that, I have to sign my "Certificate Request Info", but when I do, the application says that the signature is invalid.
I'm using the OpenSSL.exe to verify the P10, and the error was: "ANS1_CHECK_TLEN: wrong tag". I think I'm signing what I shouldn't, so my question is, what's the exact format of "Certificate Request Info" that I have to sign?
I know that it must start with a sequence, but the p10 spec tells:
"The signature process consists of two steps:
- The value of the certificationRequestInfo component is DER encoded, yielding an octet string.
- The result of step 1 is signed with the certification request subject's private key under the specified signature algorithm, yielding a bit string, the signature."
I'm not sure if the start must be a SEQUENCE (0x30 0x82 "the length>256"), or A OCTET STRING (0x04 0x82 "the length>256"), acording to ANS.1.
If someone please give me an answer like on this post, i could be the happiest man on the world. Thank very much:
PKCS#10 request for a object key pair from PKCS#11
REgards, David M.
1 answers
solution1
0 2011-06-24 11:21:32
The step #1 of the PKCS#10 standard talks about an octet string as the result of the certificationRequestInfo element encoding and does not refer to an ASN.1 type. The request signature is computed on this DER-encoding and therefore the to-be-signed object is an ASN.1 SEQUENCE and not an OCTET STRING .
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.