I'd like to change the CSR before it is transferred to the CA without going through the CSR creation process again. To do that I need to know how to calculate the signature of the CSR after I modified it. Unfortunately I couldn't find out exactly how many bytes of the CSR are hashed.
I created the CSR like this:
openssl req -out certrequest.csr -new -newkey rsa:2048 -nodes -keyout private.key
After
sed -e '1d' -e '$d' certrequest.csr | openssl enc -base64 -d > certrequest-stripped
the last 256 bytes (sha256WithRSAEncryption) of certrequest-stripped are signature1. Now I'd like to know how many of the first bytes of certrequest-stripped I have the hash in order to sign the hash using the private key.
In other words, I'm looking for the value of the "?" in the following command so that both signatures (signature1 and signature2) match:
head -c <?> certrequest-stripped | openssl dgst -sha256 > hash
openssl rsautl -sign -inkey private.key -keyform PEM -in hash > signature2
I know that the cut has to be somewhere behind the ASN1 field for the exponent, but since my attempt to increase the head of the CSR byte by byte failed, I'm worried I'm missing something fundamental here.