Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

使用CA签发证书时,签发出来的证书里的Authority Key Identifier和Subject Key Identifier 的内容相同 #1781

Open
senserhit opened this issue Jan 14, 2025 · 0 comments · May be fixed by #1782
Open

使用CA签发证书时,签发出来的证书里的Authority Key Identifier和Subject Key Identifier 的内容相同 #1781

senserhit opened this issue Jan 14, 2025 · 0 comments · May be fixed by #1782

Comments

@senserhit
Copy link 

#签发根证书
gmssl sm2keygen -pass 123456 -out rootkey.pem
gmssl certgen -C CN \
        -ST Beijing \
        -L Haidian \
        -O PKU \
        -OU CS \
        -CN ROOTCA \
        -days 3650  \
        -key rootkey.pem \
        -pass 123456 \
        -out rootcert.pem \
        -key_usage keyCertSign \
        -key_usage cRLSign \
        -gen_subject_key_id \
        -gen_authority_key_id

#使用根证书签发中间证书
gmssl sm2keygen -pass 123456 -out cakey.pem
gmssl reqgen -key cakey.pem -out careq.pem -pass 123456 -C "CN" -ST "Beijing" -L "Haidian" -O "PKU" -OU "CS" -CN "Intermediate CA"
gmssl reqsign -in careq.pem -out cacert.pem \
	-cacert rootcert.pem \
    -key rootkey.pem \
    -pass 123456 \
	-days 365 \
    -key_usage digitalSignature \
    -key_usage keyCertSign \
    -gen_authority_key_id \
    -gen_subject_key_id \
    -path_len_constraint 0 \
    -ca

image

从上图可以看出来,生成的Authority Key Identifier和Subject Key Identifier 都一样

  1. 其中根证书 rootcert.pem 的内容一致是正常的,因为rootcert.pem是自签证书。签发者和被签发者是相同的,所以两者内容一致。
  2. 但是由rootcert.pem签发的cacert.pem 内容一致则不对, 正常应该cacert.pem里的Authority Key Identifier 应该和rootcert.pem的Subject Key Identifier内容一致, cacert.pem应该有自己的Subject Key Identifier

通过查看代码,tools/reqsign.c中

// following code copy from certgen.c
        // Extensions
        if (gen_authority_key_id) {
                if (x509_exts_add_default_authority_key_identifier(exts, &extslen, sizeof(exts), &sm2_key) != 1) {
                        fprintf(stderr, "%s: set AuthorityKeyIdentifier extension failure\n", prog);
                        goto end;
                }
        }
        if (gen_subject_key_id) {
                if (x509_exts_add_subject_key_identifier_ex(exts, &extslen, sizeof(exts), -1, &sm2_key) != 1) {
                        fprintf(stderr, "%s: set SubjectKeyIdentifier extension failure\n", prog);
                        goto end;
                }
        }

这里的gen_authority_key_id和gen_subject_key_id使用了相同的参数sm2_key, sm2_key是签发者的key,即例子里的rootcert.pem。
这里应该调整gen_subject_key_id 使用被签发者自己的key,即例子里的cacert.pem,代码里的subject_public_key即是。

// following code copy from certgen.c
        // Extensions
        if (gen_authority_key_id) {
                if (x509_exts_add_default_authority_key_identifier(exts, &extslen, sizeof(exts), &sm2_key) != 1) {
                        fprintf(stderr, "%s: set AuthorityKeyIdentifier extension failure\n", prog);
                        goto end;
                }
        }
        if (gen_subject_key_id) {
                if (x509_exts_add_subject_key_identifier_ex(exts, &extslen, sizeof(exts), -1, &subject_public_key) != 1) {
                        fprintf(stderr, "%s: set SubjectKeyIdentifier extension failure\n", prog);
                        goto end;
                }
        }
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
1 participant
@senserhit