Hello I am trying to add the extensions "subjectKeyIdentifier" and "authorityKeyIdentifier" to a x509v3 certificate.
Regarding rfc5280, section 4.2.1.2 the key identifier is composed of the 160-bit SHA-1 hash of the BIT STRING subjectPublicKey http://tools.ietf.org/html/rfc5280#section-4.2.1.2 I don't know how or which function to use from EVP.PKey() to compose a fingerprint from the public key, as you can see below I was playing around with some functions, which simply returned nonsense (at least for me) I would be happy if someone could provide some example code on how to generate a fingerprint from the public key. "print keyp.final()" nor "print keyp.sign_final() on the last line does return anything... -------------------------------------------------------- from M2Crypto import X509, m2, RSA, EVP from config import * import os.path class Keypair(object): def __init__(self): self.config = Config() self.keypair = EVP.PKey() def create_keypair(self, key_size=1024): # generate an RSA key pair # OpenSSL book page 232 # second argument should be a constant RSA_F4 or RSA_3 rsa_key_pair = RSA.gen_key(key_size, m2.RSA_F4) # check if RSA key pair is usable # OpenSSL book page 232 if rsa_key_pair.check_key() != 1: print 'error while generating key!' sys.exit() # EVP object which can hold either a DSA or an RSA object # OpenSSL book page 236 evp_key_container = EVP.PKey() evp_key_container.assign_rsa(rsa_key_pair) self.keypair = evp_key_container def save_keypair(self, filename): if not os.path.exists(filename): self.keypair.save_key(filename, None) else: print "error in save_keypair(): cannot save key, it already exists" def load_keypair(self, filename): try: self.keypair = EVP.load_key(filename) except TypeError: print "error in load_keypair(): maybe file does not exist?" def get_keypair(self): return self.keypair def get_public_key(self): return self.keypair.pkey def print_keypair(self): print self.keypair.as_pem(None) if __name__ == "__main__": keypair = Keypair() keypair.create_keypair() # keypair.save_keypair("test.keys") keyp = keypair.get_keypair() print keyp.final() print keyp.sign_final() --------------------------------------------------------- And this maybe some OT question but how can I use OpenSSL to generate some fingerprint for testing and comparison purpose? For example I have got a certificate client.crt and the keys client.key $ openssl x509 -noout -text -in client.crt [...] X509v3 Subject Key Identifier: D2:C0:39:37:45:F6:A3:BF:D8:91:A2:F5:C7:43:42:80:6A:3C:38:AF X509v3 Authority Key Identifier: A7:E2:2E:59:F8:53:1F:68:F2:59:34:32:42:F6:21:20:C0:D1:3A:89 [...] But openssl provides me different fingerprint... so whats wrong here? $ openssl rsa -pubout -in client_1.key | openssl sha1 -c writing RSA key cc:d2:ab:16:1f:a1:23:3e:fe:45:03:ab:4f:86:57:65:52:16:b2:1a -- http://mail.python.org/mailman/listinfo/python-list
