(public-key (rsa (e #010001#) (n |AOQjBj+wSG/BlAlir8Xuz62Hv3xAfAxJQeMl0kf93oWFzEcbK03h0kP3ueX4FaMMvsBYEqT uCK7h1CQHvuZrsRmjZmoP08zTOfrYYstU9wHW0QrPvTPrWlh52YXygS3NE8fHLOQkjwdCVf1 CHubDxTnovrO7j7xBOsbeMgJArrvv|)))
The precise S-expression format used by SPKI/SDSI is described in the [SPKI certificate structure document] and on the homepage of [Ron Rivest's "sexp" library].
Any given S-expressions can be expressed in three formats:
To understand how S-expressions are hashed, it's important to know how their canonical form is derived.
Basically, an advanced S-expression consists of lists of atoms delimited by ( ). Atoms can be anything: strings such as public-key or "long string with spaces", or streams of raw bytes. Raw bytes are usually delimited by vertical bars and encoded in Base64, e.g., |aGlkZGVuIG1lc3NhZ2U=|, or can be represented as bit strings, as in #010001# above.
In canonical form, S-expressions are still delimited by parentheses, but atoms are encoded as a length in readable ASCII, followed by a colon, followed by the string or stream of bytes itself. For example, the advanced S-expression
(not-after "2004-07-18_17:58:18")becomes
(9:not-after19:2004-07-18_17:58:18)in canonical form (this example contains no unprintable characters).
The sexp utility can be gotten from [Ron Rivest's "sexp" library] page and compiled with (I think):
$ gcc -o sexp sexp-*.cPut the resulting sexp executable in /usr/local/bin or some other convenient path.
It's particularly useful for converting from ugly canonical S-expressions, which Greenpass uses a lot, to advanced ones, like so:
$ sexp -i Example.spkicert -a
If I recall, it actually gets used inside the Python scripts that make up the Web apps for just this purpose.