Closed laurencelundblade closed 3 years ago
No that is not correct. The form to be hashed is what ever is signed and there. Forcing a re-encode to DER is known to generate errors. This is standard behavior in the X.509 world.
Is x5t the hash of the leaf cert in x5bag or x5chain? If so, that would explain why most of my comments are not making sense.
I interpreted it as another way to identify a cert similar to x5bag. I was going to say that it needs to be an array like x5bag.
Pretty sure x5t needs some clarification.
This is fixed in the -08 draft which actually says x5t is a hash over DER.
Since the data is being hashed, it has to be in a canonical form, so it should specify DER encoding.