M2Crypto: How to generate subjectKeyIdentifier / authorityKeyIdentifier
Matthias Güntert
MatzeGuentert at gmx.de
Mon Aug 10 12:19:17 EDT 2009
Hello once again
Now I have the extension-patch [0] applied to the M2Crypto SVN branch
(revision 704). Creating a root and an subRoot CA certificate now works
great including the SKID/AKID extensions.
I am also able to verify those created certificates using:
$ openssl verify -CAfile rootCA.crt rootCA.crt
rootCA.crt: OK
$ openssl verify -CAfile rootCA.crt subRootCA.crt
subRootCA.crt: OK
But having a closer look onto the generated key ID's shows that there is
either something wrong in the way I am adding the subjectKeyIdentifier
extension or the way the hash gets calculated in the background.
This are the hashes:
__rootCA__
SKID F4:EF:64:5F:7A:A2:2A:14:14:F9:AE:6E:DB:04:78:0A:8C:6E:02:9F -: A
--> OKAY
AKID F4:EF:64:5F:7A:A2:2A:14:14:F9:AE:6E:DB:04:78:0A:8C:6E:02:9F -: A
--> OKAY
__subRootCA (signed by rootCA)__
SKID DA:39:A3:EE:5E:6B:4B:0D:32:55:BF:EF:95:60:18:90:AF:D8:07:09 -: B
--> OKAY
AKID F4:EF:64:5F:7A:A2:2A:14:14:F9:AE:6E:DB:04:78:0A:8C:6E:02:9F -: A
--> OKAY
__client (signed by rootCA)__
SKID DA:39:A3:EE:5E:6B:4B:0D:32:55:BF:EF:95:60:18:90:AF:D8:07:09 -: B
--> NOT OKAY, should be different from RootCA
AKID F4:EF:64:5F:7A:A2:2A:14:14:F9:AE:6E:DB:04:78:0A:8C:6E:02:9F -: A
--> OKAY
__client (signed by subRootCA)__
SKID DA:39:A3:EE:5E:6B:4B:0D:32:55:BF:EF:95:60:18:90:AF:D8:07:09 -: B
--> NOT OKAY, should be different from subRootCA
AKID DA:39:A3:EE:5E:6B:4B:0D:32:55:BF:EF:95:60:18:90:AF:D8:07:09 -: B
--> OKAY
I really would be happy if someone could have a look at my code [1] as
this extensions are important for verifying the trust chain. Please let
me know if there is anything I can do with my limited knowledge about
OpenSSL to get this working...
Regards, Matthias
[0] https://bugzilla.osafoundation.org/attachment.cgi?id=5106
[1] http://code.google.com/p/webca/source/browse/trunk/src/ca.py
More information about the Python-list
mailing list