M2Crypto: How to generate subjectKeyIdentifier / authorityKeyIdentifier

Matthias Güntert MatzeGuentert at gmx.de
Thu Aug 6 07:26:31 CEST 2009


> M2Crypto has a couple of bugs open related that, with potential
> workarounds that I haven't yet deemed polished enough to checkin, but
> which might help you out:
> 
> https://bugzilla.osafoundation.org/show_bug.cgi?id=7530
> https://bugzilla.osafoundation.org/show_bug.cgi?id=12151

Thanks, that helped me a lot. Generating the 'subjectKeyIdentifier' now
works for me using the following procedure:

----------------------------------------------------------
import hashlib 

def get_public_key_fingerprint(self):
	h = hashlib.new('sha1')
    	h.update(self.keypair.as_der())
    	client_serial = h.hexdigest().upper()
    	client_serial_hex = ''
    	
    	for byte in xrange(20):
    	 client_serial_hex += client_serial[byte*2] + client_serial[byte*2
+1]
    		if byte < 19:
    			client_serial_hex += ':'
    
        return client_serial_hex 

[...]
cert_extension_4 = X509.new_extension("subjectKeyIdentifier",
keys_ca.get_public_key_fingerprint()) 
----------------------------------------------------------

However I don't understand the way the hash gets build. Comparing the
output from a given keypair and certificate build via OpenVPNs easy-rsa
scripts shows different subjectKeyIdentifiers. As stated out by rfc5280
there is no right or wrong way in creating the unique hash, so this
should be fine. 

But setting the 'authorityKeyIdentifier' extension gives me some
headache here. The following code snippet produces a segmentation fault
on my python interpreter (version 2.6)  

----------------------------------------------------------
cert_extension = X509.new_extension("authorityKeyIdentifier",
keys_ca.get_public_key_fingerprint())

cert_extension_stack.push(cert_extension)
----------------------------------------------------------

Same on this:
----------------------------------------------------------
cert_extension = 

X509.new_extension("authorityKeyIdentifier",
"keyid:1C:88:E1:8E:F1:5F:9D:1C:2B:6C:41:D4:3D:BB:79:0D:33:4A:E3:9A,
DirName:/C=US/ST=CA/L=SanFrancisco/O=Fort-Funston/CN=Fort-Funston
CA/emailAddress=me at myhost.mydomain, serial:B1:82:B1:E4:23:78:F1:12")

cert_extension_stack.push(cert_extension)
----------------------------------------------------------

So the question is: Is there another workaround to set this extension?
How can I provide more information to get this fixed? Working with the
latest SVN version is no option for me at the moment. 

Thanks in advance,
Matthias 





More information about the Python-list mailing list