To expound @Eugene's comment:
RFC 5280 on Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile specified a certificate as:
Certificate ::= SEQUENCE {
tbsCertificate TBSCertificate,
signatureAlgorithm AlgorithmIdentifier,
signatureValue BIT STRING }
TBSCertificate ::= SEQUENCE {
version [0] EXPLICIT Version DEFAULT v1,
serialNumber CertificateSerialNumber,
signature AlgorithmIdentifier,
issuer Name,
validity Validity,
subject Name,
subjectPublicKeyInfo SubjectPublicKeyInfo,
issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL,
-- If present, version MUST be v2 or v3
subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL,
-- If present, version MUST be v2 or v3
extensions [3] EXPLICIT Extensions OPTIONAL
-- If present, version MUST be v3
}
Am I correct in assuming that there's protection against the modification of both the subject and the extension information in a request or X509 certificate?
I am not sure what kind of request you exactly mean but in a X509 certificate both the subject
and the extensions
are part of the tbsCertificate
which is signed by signatureValue
which indeed is a protection against the modification.