[gnutls-help] Setting Subject Key Identifier and Authority Key Identifier

Discussion:

Markus Karch

2018-07-16 13:06:32 UTC

Hello,

I am creating a self signed X.509 certificate and trying to set the SKI and
the AKI.
These values should be the SHA-1 of the public key.
But when I am settign these values I am only getting the SHA-1 hash value
of the private key.
What am I doing wrong? Here is a code snippet :

gnutls_x509_crt_t crt;
gnutls_x509_privkey_t privKey;

gnutls_x509_crt_init(&crt);
gnutls_x509_privkey_init(&privKey);

int gnuErr = gnutls_x509_privkey_generate(privKey, GNUTLS_PK_RSA, 2048, 0);
gnuErr = gnutls_x509_crt_set_dn (crt, "O=test,CN=test", NULL);
gnuErr = gnutls_x509_crt_set_key(crt, privKey);
gnutls_x509_crt_set_version(crt, 3);
int serialNumber = rand();
gnuErr = gnutls_x509_crt_set_serial(crt, &serialNumber, sizeof(int));

//Here is the problem
gnutls_pubkey_t pubKey;
gnuErr = gnutls_pubkey_init(&pubKey);
gnuErr = gnutls_pubkey_import_x509(pubKey, crt,0 );
unsigned char test[20]; // Normally 20 bytes (SHA1)
size_t size = sizeof(test);
//Here I am getting the hash of the private key
gnuErr = gnutls_pubkey_get_key_id(pubKey, 0, test, &size);
gnuErr = gnutls_x509_crt_set_subject_key_id(crt, test, size);

//....

Regards,
ckmk14

Markus Karch

2018-07-16 13:45:54 UTC

Permalink

Hello everyone,

I have another example which make things a little bit more clear:
In the code below am setting the SKI with the hash value of the private
key (as supposed) using the gnutls_pubkey_import_x509-function.
Then I am setting the AKI with the hash value of the private key (this is
wrong but useful for test purposes).
Unfortunately both values are the same. Why is it that way?

gnutls_x509_crt_t crt;
gnutls_x509_privkey_t privKey;

gnutls_x509_crt_init(&crt);
gnutls_x509_privkey_init(&privKey);

int gnuErr = gnutls_x509_privkey_generate(privKey, GNUTLS_PK_RSA, 2048, 0);

gnuErr = gnutls_x509_crt_set_dn (crt, "O=test,CN=test", NULL);

gnuErr = gnutls_x509_crt_set_key(crt, privKey);

gnutls_x509_crt_set_version(crt, 3);
int serialNumber = rand();
gnuErr = gnutls_x509_crt_set_serial(crt, &serialNumber, sizeof(int));

//Here is the problem
gnutls_pubkey_t pubKey;
gnuErr = gnutls_pubkey_init(&pubKey);
gnuErr = gnutls_pubkey_import_x509(pubKey, crt,0 );
unsigned char test[20];
size_t size = sizeof(test);
gnuErr = gnutls_pubkey_get_key_id(pubKey, 0, test, &size);
gnuErr = gnutls_x509_crt_set_subject_key_id(crt, test, size);

gnutls_privkey_t priv;
gnutls_privkey_init(&priv);
gnutls_privkey_import_x509(priv, privKey, 0);
unsigned char test2[20]; // Normally 20 bytes (SHA1)
size_t size2 = sizeof(test2);
gnutls_x509_privkey_get_key_id(privKey, 0, test2, &size2);
gnuErr = gnutls_x509_crt_set_authority_key_id(crt, test2, size2);

/////////////////////////////////////////////////////////////////
gnuErr = gnutls_x509_crt_set_key_usage(crt,
GNUTLS_KEY_DIGITAL_SIGNATURE
| GNUTLS_KEY_CRL_SIGN
| GNUTLS_KEY_KEY_CERT_SIGN);

gnuErr = gnutls_x509_crt_set_activation_time(crt, time(NULL));
gnuErr = gnutls_x509_crt_set_expiration_time(crt, time(NULL) + (60
* 60 * 24 * 365 * 10));

gnuErr = gnutls_x509_crt_sign2(crt, crt, privKey, GNUTLS_DIG_SHA256, 0);

Regards,
ckmk14

Post by Markus Karch
Hello,
I am creating a self signed X.509 certificate and trying to set the SKI
and the AKI.
These values should be the SHA-1 of the public key.
But when I am settign these values I am only getting the SHA-1 hash value
of the private key.
gnutls_x509_crt_t crt;
gnutls_x509_privkey_t privKey;
gnutls_x509_crt_init(&crt);
gnutls_x509_privkey_init(&privKey);
int gnuErr = gnutls_x509_privkey_generate(privKey, GNUTLS_PK_RSA, 2048, 0);
gnuErr = gnutls_x509_crt_set_dn (crt, "O=test,CN=test", NULL);
gnuErr = gnutls_x509_crt_set_key(crt, privKey);
gnutls_x509_crt_set_version(crt, 3);
int serialNumber = rand();
gnuErr = gnutls_x509_crt_set_serial(crt, &serialNumber, sizeof(int));
//Here is the problem
gnutls_pubkey_t pubKey;
gnuErr = gnutls_pubkey_init(&pubKey);
gnuErr = gnutls_pubkey_import_x509(pubKey, crt,0 );
unsigned char test[20]; // Normally 20 bytes (SHA1)
size_t size = sizeof(test);
//Here I am getting the hash of the private key
gnuErr = gnutls_pubkey_get_key_id(pubKey, 0, test, &size);
gnuErr = gnutls_x509_crt_set_subject_key_id(crt, test, size);
//....
Regards,
ckmk14

Markus Karch

2018-07-16 18:08:37 UTC

Permalink

Hello everyone,

sorry for the multiple mails but I think I found my issue. In the
documentation I discovered this:

"Note that gnutls_pubkey_get_key_id
<https://www.gnutls.org/manual/html_node/Abstract-key-API.html#gnutls_005fpubkey_005fget_005fkey_005fid>
calculates a SHA1 digest of the public key as a DER-formatted,
subjectPublicKeyInfo object. Other implementations use different
approaches, e.g., some use the âcommon methodâ described in section 4.2.1.2
of [RFC5280
<https://www.gnutls.org/manual/html_node/Bibliography.html#RFC5280>] which
calculates a digest on a part of the subjectPublicKeyInfo object. "

Is it with gnutls possible to generate the key id with one of the "common
methods" described in RFC5280?

Regards,
ckmk14

Nikos Mavrogiannopoulos

2018-07-18 05:51:25 UTC

Permalink

Post by Markus Karch
Hello everyone,
sorry for the multiple mails but I think I found my issue. In the
"Note that gnutls_pubkey_get_key_id calculates a SHA1 digest of the
public key as a DER-formatted, subjectPublicKeyInfo object. Other
implementations use different approaches, e.g., some use the “common
method” described in section 4.2.1.2 of [RFC5280] which calculates a
digest on a part of the subjectPublicKeyInfo object. "
Is it with gnutls possible to generate the key id with one of the
"common methods" described in RFC5280?

The functions to calculate the digest are helper ones. You can
calculate that digest of the key any way you like including the rfc5280
methods. All you need is to access the public key (e.g., via
gnutls_pubkey_t abstraction, and then the raw DER data).

regards,
Nikos