openssl hash value - how to generate ?

Ben Burrows ben at benburrows.com
Tue Jul 30 15:03:26 UTC 2019 

Hi,

I am trying to (independantly of openssl) generate the hash for a certificate (the short string
that would be used as the symlink name in the openssl/certs directory).
eg, this command
openssl x509 -in CERT.pem -noout -hash
I am trying to do this because I wanted to know how openssl was calculating this.

At the bottom of the man page for x509 it states the following:
The hash algorithm used in the -subject_hash and -issuer_hash options before OpenSSL 1.0.0 was based on the deprecated MD5
algorithm and the encoding of the distinguished name. In OpenSSL 1.0.0 and later it is based on a canonical version of the DN
using SHA1.

Thats a great start but not enough detail to let me generate this myself.
Since I know the hash uses sha1 I should be able to generate the hash with "shasum" passing in the correct data. And there is the issue. All the conbinations of data I have passed in give me a different hash to what openssl generates. Its much longer but I beleive that is because openssl just chops everything past 8 chars off.
Since the man page says its a hash of the DN (subject) I tried passing in the subject (in the various formats available from openssl)

openssl x509 -noout -in CERT.pem -text | grep Subject:
        Subject: C=GB, O=My Company, OU=My Department, CN=MyName

openssl x509 -in CERT.pem -noout -subject
subject= /C=GB/O=My Company/OU=My Department/CN=MyName

openssl x509 -in CERT.pem -noout -subject -nameopt RFC2253
subject= CN=MyName,OU=My Department,O=My Company,C=GB

I then feed that into shasum like so (showing just one of the 6 combinations. I tried the subject for the three variations with and without the "subject= " or "Subject: " prefix)

printf "CN=MyName,OU=My Department,O=My Company,C=GB" | shasum
6a73b8417b2f51195e1d0bcee3c2adbc1fb73124  -

I tried looking at the code but I am not really a coder and definately not a C/C++ one and I was getting rather out of my depth trying to follow it.

What I THINK my problem is is that the string that openssl is using as the input for the has is different to what I am using. Is there some way I can see what its using or am I going in the wrong direction here?

Regards
Ben

More information about the openssl-users mailing list