Alternate format for subjectKeyIdentifier and authorityKeyIdentifier

[John Zornig]

A question regarding KeyIdentifiers.

rfc3280 section 4.2.1.2 describes
Two common methods for generating key identifiers from the public key  
are:

      (1) The keyIdentifier is composed of the 160-bit SHA-1 hash of  
the
      value of the BIT STRING subjectPublicKey (excluding the tag,
      length, and number of unused bits).

      (2) The keyIdentifier is composed of a four bit type field with
      the value 0100 followed by the least significant 60 bits of the
      SHA-1 hash of the value of the BIT STRING subjectPublicKey
      (excluding the tag, length, and number of unused bit string  
bits).

If my openssl config has

subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always

I get method (1) above.

The Australian Standard AS 4539.1.2.1—2001 states:

6.3.2.2 Authority key identifier
The authorityKeyIdentifier extension identifies the public key to be  
used to verify the signature in this certificate. It enables distinct  
keys used by the same CA to be distinguished (eg. as key updating  
occurs).

Conforming certificates shall identify the key using the  
keyIdentifier field. The value of the keyIdentifier field should be a  
64 bit OCTET STRING consisting of the hexadecimal value 0x4 (0100 in  
binary) followed by the 60 least significant bits of an SHA-1 hash of  
the DER-encoding of subjectPublicKey sub-field of subjectPublicKeyInfo.

This extension shall be present in EE, CA, PCA and External Domain  
certificates, and shall not be marked critical.

6.3.2.3 Subject key identifier
The subjectKeyIdentifier extension identifies the public key being  
certified. It enables distinct keys used by the same subject to be  
differentiated (eg. as key updating occurs).

Conforming certificates shall identify the key using the  
keyIdentifier field as described in Clause 6.3.2.2. The subject key  
identifier shall be identical to the authority key identifier  
extension in any certificates issued by a CA using the identified  
public key.

This extension shall be present in PAA, PCA, CA and External Domain  
certificates, and shall not be marked critical.

Which is method (2).

How can I get openssl to generate keyIdentifiers using method (2)?

Regards,

JZ





John Zornig
Specialist Systems Analyst
Australian Access Federation

Strategic Technologies Group
Information Technology Services (ITS)
The University of Queensland
Brisbane Qld, 4072

Ph: +61 7 336 54288
Mob: +61 434 351 532
[EMAIL PROTECTED]
http://www.uq.edu.au/~uqjzorni/