0

I need to know what kind of hash algorithm my certificate has. I only figured out how to do it my converting the the loaded certificate to a string and running find on it. For example:

BIO *certbio = BIO_new(BIO_s_file());
X509 *certificate;
BIO_read_filename(certbio, "/etc/some.crt")
certificate = PEM_read_bio_X509(certbio, NULL, 0, NULL)

int pkey_nid = OBJ_obj2nid(certificate->cert_info->signature->algorithm);
if (pkey_nid != NID_undef)
{
    std::string algorithm = OBJ_nid2ln(pkey_nid);
    algorithm.toLower();

    if (algorithm.find("sha256") != std::string::npos)
    {
        // ...
    }
    else if(algorithm.find("sha384") != std::string::npos)
    {
        // ...
    }
    else {
        // ...
    }
}

Is there a better way to know whether my certificate uses sha256 or sha384, etc?

Can I check mypkey_nid value against a openssl constant as in the following example?

...
int pkey_nid = OBJ_obj2nid(certificate->cert_info->signature->algorithm);

if (pkey_nid == NID_sha1WithRSAEncryption)
{
    // ...
}
else if(pkey_nid == NID_shaWithRSAEncryption)
{
    // ...
}
else {
    // ...
}

I tried find a constant for sha256, but the only ones I could find were things like NID_shaWithRSAEncryption and NID_sha1WithRSAEncryption, but no NID_sha256WithRSAEncryption:

  1. https://github.com/openssl/openssl/blob/1c0eede9827b0962f1d752fa4ab5d436fa039da4/crypto/objects/objects.pl#L175
  2. https://svn.python.org/projects/external/openssl-0.9.8y/inc64/openssl/objects.h

Is there a documentation which maps these names as NID_shaWithRSAEncryption to the algorithm as sha256 or sha384, so I could use these constants as in my second example?

Or the only why to figure out if my certificate uses sha256 is by converting the certificate algorithm to string and run a find on it as I did on my first example?

Related:

  1. In OpenSSL, given a certificate, how can I get a string representation of the signature algorithm?
  2. https://man.openbsd.org/X509_get0_signature.3
  3. Check signature for x509 certificate
  4. How do I print a fingerprint (sha256 bytes) using colon notation?
  5. How can I see if the certificate is SHA384?
Evandro Coan
  • 8,560
  • 11
  • 83
  • 144

1 Answers1

0

After looking at the source code, does not look openssl have an interface to get a certificate type, just a string value it gets from a global variable:

// File: openssl-1.0.2m/crypto/objects/obj_dat.c
const char *OBJ_nid2ln(int n)
{
    ADDED_OBJ ad, *adp;
    ASN1_OBJECT ob;

    if ((n >= 0) && (n < NUM_NID)) {
        if ((n != NID_undef) && (nid_objs[n].nid == NID_undef)) {
            OBJerr(OBJ_F_OBJ_NID2LN, OBJ_R_UNKNOWN_NID);
            return (NULL);
        }
        return (nid_objs[n].ln);
    } else if (added == NULL)
        return (NULL);
    else {
        ad.type = ADDED_NID;
        ad.obj = &ob;
        ob.nid = n;
        adp = lh_ADDED_OBJ_retrieve(added, &ad);
        if (adp != NULL)
            return (adp->obj->ln);
        else {
            OBJerr(OBJ_F_OBJ_NID2LN, OBJ_R_UNKNOWN_NID);
            return (NULL);
        }
    }
}
Evandro Coan
  • 8,560
  • 11
  • 83
  • 144