Re: [Cryptography-dev] setting value of x509.SubjectKeyIdentifier other than digest

Thu, 13 Mar 2025 14:54:06 -0700 

I can't see to defeat it digesting the argument:

print(type(detb), detb)
ski = x509.SubjectKeyIdentifier(detb)
print(type(ski), ski)

<class 'bytes'> b'2001003ffe3ff805f64b0a656aaee568'
<class 'cryptography.x509.extensions.SubjectKeyIdentifier'> <SubjectKeyIdentifier(digest=b'2001003ffe3ff805f64b0a656aaee568')>
I don't WANT detb to be digested.  I just want its value in SubjectKeyIdentifier 

I tried, after rereading that web page doc:

ski = x509.SubjectKeyIdentifier(key_identifier=detb)

But that threw an error


On 3/13/25 5:34 PM, Alex Gaynor via Cryptography-dev wrote:

You can pass any bytes value to the constructor:
https://cryptography.io/en/latest/x509/reference/#cryptography.x509.SubjectKeyIdentifier
(Sphinx doesn't highlight it, but you can see the constructor's
signature `SubjectKeyIdentifier(digest)`).

Alex

On Thu, Mar 13, 2025 at 5:32 PM Robert Moskowitz <r...@htt-consult.com> wrote:

Per RFC5280

Although the common practice for SubjectKeyIdentifier is to SHA1 hash
the public key,  sec 4.2.1.2 clearly states that:

"Other methods of generating unique numbers are also acceptable."

And in fact, using openSSL I have set whatever value I have wanted into
SubjectKeyIdentifier in the config file.

But it seems in

https://cryptography.io/en/latest/x509/reference/#cryptography.x509.SubjectKeyIdentifier.from_public_key

"digest" is the only allowed option.

For example I have an IPv6 address that the reverse lookup will get you
all the RR you may need for the thing.  So I would want

2001003ffe3ff805f64b0a656aaee56

as my SubjectKeyIdentifier

How can I do this?  What type does that value need to be?

Of course for AuthorityKeyIdentifier I think can "cheat" by using the
int value of that ipv6 addr and feeding it in as the serial_number.

thank you


_______________________________________________
Cryptography-dev mailing list
Cryptography-dev@python.org
https://mail.python.org/mailman/listinfo/cryptography-dev





_______________________________________________
Cryptography-dev mailing list
Cryptography-dev@python.org
https://mail.python.org/mailman/listinfo/cryptography-dev

Reply via email to