create_extension('subjectKeyIdentifier', 'hash') uses the wrong key id

[caldwell]

In parseSubjectKeyIdentifier() (in X509ExtensionFactory.java), if the valuex passed in is 'hash' then it fetches the issuer's public key and uses that instead of the subject's. This is incorrect.

[ahmet2mir]

@caldwell I found a fix based on https://gist.github.com/sstelfox/11063125#file-key_fingerprints-rb-L24

sequence = OpenSSL::ASN1::Sequence([
  OpenSSL::ASN1::Integer.new(cert.public_key.n),
  OpenSSL::ASN1::Integer.new(cert.public_key.e)
])
skeyid = OpenSSL::Digest::SHA1.hexdigest(sequence.to_der)
cert.add_extension ef.create_extension('subjectKeyIdentifier', skeyid) # force the key instead of 'hash'

To test you could run with c-ruby and jruby

require 'openssl'

key = OpenSSL::PKey::RSA.new(4096)

subject = "/C=FR/ST=IDF/L=PARIS/O=Company/CN=myhost.example"

cert = OpenSSL::X509::Certificate.new
cert.subject = cert.issuer = OpenSSL::X509::Name.parse(subject)

cert.not_before = Time.now
cert.not_after = Time.now + 365*24*60*60
cert.public_key = key.public_key
cert.serial = 0x0
cert.version = 2

ef = OpenSSL::X509::ExtensionFactory.new
ef.subject_certificate = ef.issuer_certificate = cert

cert.add_extension ef.create_extension('basicConstraints', 'CA:FALSE', true)
cert.add_extension ef.create_extension('keyUsage', 'keyEncipherment,dataEncipherment,digitalSignature')

sequence = OpenSSL::ASN1::Sequence([
  OpenSSL::ASN1::Integer.new(cert.public_key.n),
  OpenSSL::ASN1::Integer.new(cert.public_key.e)
])

skeyid = OpenSSL::Digest::SHA1.hexdigest(sequence.to_der)
cert.add_extension ef.create_extension('subjectKeyIdentifier', 'hash') # don't force value, skeyid must match the value
cert.add_extension ef.create_extension('authorityKeyIdentifier', 'keyid:always,issuer:always')

cert.sign key, OpenSSL::Digest::SHA256.new

puts skeyid.scan(/../).join(':').upcase
puts cert.extensions[2].value.upcase

puts are identicals on c-ruby but different on jruby.

[kares]

Thanks for the detailed report, we used ^^ for tests.
This is fixed since >= 0.10.3 (JRuby >= 9.2.10.0)