Integrity of Request/X509 Alternative Name/Extension Information

StackOverflow https://stackoverflow.com/questions/22991523

  •  01-07-2023
  •  | 
  •  

Domanda

Am I correct in assuming that there's protection against the modification of both the subject and the extension information in a request or X509 certificate?

This signature is just another element embedded in the ASN.1 encoding?

È stato utile?

Soluzione

To expound @Eugene's comment:

RFC 5280 on Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile specified a certificate as:

Certificate  ::=  SEQUENCE  {
    tbsCertificate       TBSCertificate,
    signatureAlgorithm   AlgorithmIdentifier,
    signatureValue       BIT STRING  }

TBSCertificate  ::=  SEQUENCE  {
    version         [0]  EXPLICIT Version DEFAULT v1,
    serialNumber         CertificateSerialNumber,
    signature            AlgorithmIdentifier,
    issuer               Name,
    validity             Validity,
    subject              Name,
    subjectPublicKeyInfo SubjectPublicKeyInfo,
    issuerUniqueID  [1]  IMPLICIT UniqueIdentifier OPTIONAL,
                         -- If present, version MUST be v2 or v3
    subjectUniqueID [2]  IMPLICIT UniqueIdentifier OPTIONAL,
                         -- If present, version MUST be v2 or v3
    extensions      [3]  EXPLICIT Extensions OPTIONAL
                         -- If present, version MUST be v3
    }

Am I correct in assuming that there's protection against the modification of both the subject and the extension information in a request or X509 certificate?

I am not sure what kind of request you exactly mean but in a X509 certificate both the subject and the extensions are part of the tbsCertificate which is signed by signatureValue which indeed is a protection against the modification.

Autorizzato sotto: CC-BY-SA insieme a attribuzione
Non affiliato a StackOverflow
scroll top