Cryptography Reference
In-Depth Information
Adding DSA Support to the Certifi cate Parser
Go ahead and add support for DSA as well. This is mostly academic because
DSA-signed certifi cates are extremely rare “in the wild,” at least for SSL.
Because servers present certifi cates primarily to prepare for key exchange,
and DSA can't be used for this purpose, there's not much point in presenting
a certifi cate with a DSA public key to an SSL client. A CA, on the other hand,
could use DSA; the purpose of a root certifi cate is to sign other certifi cates,
and this is the one thing DSA can do. However, at the time of this writing no
CA does — at least none of those implicitly trusted by major browser vendors.
However, it's worthwhile to see how it's done so that you can see how differ-
ent signature algorithms change the parsing semantics. In addition, common
or not, support for DSA certifi cates is required by TLS. First of all, the structure
defi nitions change slightly as shown in Listing 5-29.
Listing 5-29:
“x509.h” with DSA support
typedef enum
{
rsa,
dsa,
dh
}
algorithmIdentifier;
typedef enum
{
md5WithRSAEncryption,
shaWithRSAEncryption,
shaWithDSA
}
signatureAlgorithmIdentifier;
…
typedef struct
{
algorithmIdentifier algorithm;
// RSA parameters, only if algorithm == rsa
rsa_key rsa_public_key;
// DSA or DH parameters, only if algorithm == dsa
dsa_params dsa_parameters;
// DSA parameters, only if algorithm == dsa
huge dsa_public_key;
}
public_key_info;
…
typedef struct
{
x509_certificate tbsCertificate;
Search WWH ::
Custom Search