M2Crypto: How to generate subjectKeyIdentifier / authorityKeyIdentifier

Matthias Güntert MatzeGuentert at gmx.de
Mon Aug 10 18:19:17 CEST 2009


Hello once again

Now I have the extension-patch [0] applied to the M2Crypto SVN branch
(revision 704). Creating a root and an subRoot CA certificate now works
great including the SKID/AKID extensions. 

I am also able to verify those created certificates using:

$ openssl verify -CAfile rootCA.crt rootCA.crt 
rootCA.crt: OK

$ openssl verify -CAfile rootCA.crt subRootCA.crt 
subRootCA.crt: OK

But having a closer look onto the generated key ID's shows that there is
either something wrong in the way I am adding the subjectKeyIdentifier
extension or the way the hash gets calculated in the background. 

This are the hashes:

__rootCA__			
SKID F4:EF:64:5F:7A:A2:2A:14:14:F9:AE:6E:DB:04:78:0A:8C:6E:02:9F -: A
--> OKAY
AKID F4:EF:64:5F:7A:A2:2A:14:14:F9:AE:6E:DB:04:78:0A:8C:6E:02:9F -: A
--> OKAY

__subRootCA (signed by rootCA)__ 	
SKID DA:39:A3:EE:5E:6B:4B:0D:32:55:BF:EF:95:60:18:90:AF:D8:07:09 -: B
--> OKAY
AKID F4:EF:64:5F:7A:A2:2A:14:14:F9:AE:6E:DB:04:78:0A:8C:6E:02:9F -: A
--> OKAY

__client (signed by rootCA)__
SKID DA:39:A3:EE:5E:6B:4B:0D:32:55:BF:EF:95:60:18:90:AF:D8:07:09 -: B
--> NOT OKAY, should be different from RootCA
AKID F4:EF:64:5F:7A:A2:2A:14:14:F9:AE:6E:DB:04:78:0A:8C:6E:02:9F -: A
--> OKAY

__client (signed by subRootCA)__
SKID DA:39:A3:EE:5E:6B:4B:0D:32:55:BF:EF:95:60:18:90:AF:D8:07:09 -: B
--> NOT OKAY, should be different from subRootCA
AKID DA:39:A3:EE:5E:6B:4B:0D:32:55:BF:EF:95:60:18:90:AF:D8:07:09 -: B
--> OKAY

I really would be happy if someone could have a look at my code [1] as
this extensions are important for verifying the trust chain. Please let
me know if there is anything I can do with my limited knowledge about
OpenSSL to get this working... 

Regards, Matthias 

[0] https://bugzilla.osafoundation.org/attachment.cgi?id=5106
[1] http://code.google.com/p/webca/source/browse/trunk/src/ca.py





More information about the Python-list mailing list