Subject Key Identifier hash method
Tomas Mraz
tomas at openssl.org
Wed Jun 7 14:35:45 UTC 2023
The Subject Key Id does not necessarily have to be a fingerprint. In
case of CA certs it just needs to match with the Authority Key Id field
of the issued certificates signed by the key in the CA cert so the CA
cert can be matched easily during verification.
So in theory it can be any unique OCTET STRING that identifies the key
for given certificate authority.
See RFC 5280 section 4.2.1.2.
Tomas Mraz, OpenSSL
On Wed, 2023-06-07 at 08:56 -0400, Robert Moskowitz wrote:
> I am trying to figure out if the Subject Key Identifier hash method
> is
> carried in the certificate. An asn1dump of a "regular" cert shows:
>
> 276:d=4 hl=2 l= 29 cons: SEQUENCE
> 278:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Subject
> Key
> Identifier
> 283:d=5 hl=2 l= 22 prim: OCTET STRING [HEX
> DUMP]:04144F0C1A75F4AF13DC67EC18465C020FC22A82616B
> 307:d=4 hl=2 l= 31 cons: SEQUENCE
> 309:d=5 hl=2 l= 3 prim: OBJECT :X509v3
> Authority
> Key Identifier
> 314:d=5 hl=2 l= 24 prim: OCTET STRING [HEX
> DUMP]:30168014A8885F91878E4ED6AA2056C535E2212413F96BA2
>
>
> I cannot easily see if the hashing method is contained here. I am
> assuming it is a sha2 hash of the EdDSA public keys, but how do I
> tell?
>
> Of course I am asking as I want to use the rfc9374 DETs here.
>
> thanks
>
--
Tomáš Mráz, OpenSSL
More information about the openssl-users
mailing list