Re: The value of subject key identifier calculated

Thu, 17 Dec 2009 21:41:38 -0800 

Hi Steve,
I did what you said (please correct me if I am wrong) and still the ouput is
not mappiing, below please find the steps I'd taken:

1. openssl asn1parse -inform der -in my.key
 0:d=0  hl=4 l= 629 cons: SEQUENCE
 4:d=1  hl=2 l=   1 prim: INTEGER           :00
 7:d=1  hl=2 l=  13 cons: SEQUENCE
 9:d=2  hl=2 l=   9 prim: OBJECT            :rsaEncryption
20:d=2  hl=2 l=   0 prim: NULL
22:d=1  hl=4 l= 607 prim: OCTET STRING      [HEX DUMP]:

2. openssl asn1parse -inform der -in my.key -strparse 22 -out mypubkey.der
3. openssl sha1 -c mypubkey.der
SHA1(mypubkey.der)=
8d:51:f3:a7:03:5a:79:ca:14:1c:5f:9d:92:39:32:28:a8:1e:e3:7f

SKID stored in the certificate is :
C5:C1:98:9F:22:2E:13:25:31:E7:15:7C:2F:E2:C9:9D:45:94:56:D7

Which still differs from the original one.

Regards,
Tushar.

On Thu, Dec 17, 2009 at 7:00 PM, Dr. Stephen Henson <st...@openssl.org>wrote:

> On Thu, Dec 17, 2009, tushar ganguli wrote:
>
> > So should I take the PEM formatted output, strip the  --- BEGIN -- / --
> END
> > -- lines from the key and then convert the Base64 encoding to binary
> format
> > and then calculated the hash? Will that be the same as displayed in the
> > certificate?
> >
>
> If it was just the DER form then adding -outform DER to the rsa command
> would
> work. However the operation isn't based on the whole key. Here's an example
> using the OpenSSL tools...
>
> openssl asn1parse -in key.pem
>
>    0:d=0  hl=3 l= 159 cons: SEQUENCE
>        3:d=1  hl=2 l=  13 cons: SEQUENCE
>        5:d=2  hl=2 l=   9 prim: OBJECT            :rsaEncryption
>   16:d=2  hl=2 l=   0 prim: NULL
>   18:d=1  hl=3 l= 141 prim: BIT STRING
>
> The actual SKID is the contents of that BIT STRING so you do:
>
> openssl asn1parse -in key.pem -strparse 18 -out key.der
>
> Then:
>
> openssl sha1 key.der
>
> That will give you exactly the same hash as that placed in SKID.
>
> Steve.
> --
> Dr Stephen N. Henson. OpenSSL project core developer.
> Commercial tech support now available see: http://www.openssl.org
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    openssl-users@openssl.org
> Automated List Manager                           majord...@openssl.org
>

Reply via email to