Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

create_extension('subjectKeyIdentifier', 'hash') uses the wrong key id #173

Closed
caldwell opened this issue Aug 29, 2018 · 2 comments
Closed

create_extension('subjectKeyIdentifier', 'hash') uses the wrong key id #173

caldwell opened this issue Aug 29, 2018 · 2 comments

Comments

@caldwell
Copy link

In parseSubjectKeyIdentifier() (in X509ExtensionFactory.java), if the valuex passed in is 'hash' then it fetches the issuer's public key and uses that instead of the subject's. This is incorrect.
@ahmet2mir
Copy link

ahmet2mir commented Jan 28, 2020
edited
Loading

@caldwell I found a fix based on https://gist.github.com/sstelfox/11063125#file-key_fingerprints-rb-L24

sequence = OpenSSL::ASN1::Sequence([
  OpenSSL::ASN1::Integer.new(cert.public_key.n),
  OpenSSL::ASN1::Integer.new(cert.public_key.e)
])
skeyid = OpenSSL::Digest::SHA1.hexdigest(sequence.to_der)
cert.add_extension ef.create_extension('subjectKeyIdentifier', skeyid) # force the key instead of 'hash'

To test you could run with c-ruby and jruby

require 'openssl'

key = OpenSSL::PKey::RSA.new(4096)

subject = "/C=FR/ST=IDF/L=PARIS/O=Company/CN=myhost.example"

cert = OpenSSL::X509::Certificate.new
cert.subject = cert.issuer = OpenSSL::X509::Name.parse(subject)

cert.not_before = Time.now
cert.not_after = Time.now + 365*24*60*60
cert.public_key = key.public_key
cert.serial = 0x0
cert.version = 2

ef = OpenSSL::X509::ExtensionFactory.new
ef.subject_certificate = ef.issuer_certificate = cert

cert.add_extension ef.create_extension('basicConstraints', 'CA:FALSE', true)
cert.add_extension ef.create_extension('keyUsage', 'keyEncipherment,dataEncipherment,digitalSignature')

sequence = OpenSSL::ASN1::Sequence([
  OpenSSL::ASN1::Integer.new(cert.public_key.n),
  OpenSSL::ASN1::Integer.new(cert.public_key.e)
])

skeyid = OpenSSL::Digest::SHA1.hexdigest(sequence.to_der)
cert.add_extension ef.create_extension('subjectKeyIdentifier', 'hash') # don't force value, skeyid must match the value
cert.add_extension ef.create_extension('authorityKeyIdentifier', 'keyid:always,issuer:always')

cert.sign key, OpenSSL::Digest::SHA256.new

puts skeyid.scan(/../).join(':').upcase
puts cert.extensions[2].value.upcase

puts are identicals on c-ruby but different on jruby.

@kares
Copy link
Member

kares commented Feb 18, 2020

Thanks for the detailed report, we used ^^ for tests.
This is fixed since >= 0.10.3 (JRuby >= 9.2.10.0)

@kares kares closed this as completed Feb 18, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@caldwell @kares @ahmet2mir