Notwithstanding that the field is named digest, it can be any value. If you look at the generated X.509 certificate for any SKI value you provide, you'll see it ends up in the certificate directly.
Alex On Thu, Mar 13, 2025 at 6:09 PM Robert Moskowitz <r...@htt-consult.com> wrote: > > 5280 does not REQUIRE SKI to be a digest. It can be any value you want. > > And if fact with openssl directly I can have in my config: > > [ usr_cert ] > # Extensions for client certificates (`man x509v3_config`). > subjectKeyIdentifier = $ENV::ski > authorityKeyIdentifier = keyid:always > > Where I have: > > export ski=2001003FFE3FF8059B0E2860EB0BACDE > > e.g.: > > X509v3 extensions: > X509v3 Subject Key Identifier: > 20:01:00:3F:FE:3F:F8:05:9B:0E:28:60:EB:0B:AC:DE > X509v3 Authority Key Identifier: > 20:01:00:3F:FE:3F:F8:05:E8:05:A9:8F:9D:F1:5E:2D > > > On 3/13/25 5:55 PM, Alex Gaynor wrote: > > I don't understand your question. As you can see, the value you pass > > as the digest is the same as the value the SKI instance has. And as > > the documentation states, digest and key_identifier are aliases for > > each other (as attributes on an SKI). > > > > Alex > > > > On Thu, Mar 13, 2025 at 5:53 PM Robert Moskowitz <r...@htt-consult.com> > > wrote: > >> I can't see to defeat it digesting the argument: > >> > >> print(type(detb), detb) > >> ski = x509.SubjectKeyIdentifier(detb) > >> print(type(ski), ski) > >> > >> <class 'bytes'> b'2001003ffe3ff805f64b0a656aaee568' > >> <class 'cryptography.x509.extensions.SubjectKeyIdentifier'> > >> <SubjectKeyIdentifier(digest=b'2001003ffe3ff805f64b0a656aaee568')> > >> > >> I don't WANT detb to be digested. I just want its value in > >> SubjectKeyIdentifier > >> > >> I tried, after rereading that web page doc: > >> > >> ski = x509.SubjectKeyIdentifier(key_identifier=detb) > >> > >> But that threw an error > >> > >> > >> On 3/13/25 5:34 PM, Alex Gaynor via Cryptography-dev wrote: > >>> You can pass any bytes value to the constructor: > >>> https://cryptography.io/en/latest/x509/reference/#cryptography.x509.SubjectKeyIdentifier > >>> (Sphinx doesn't highlight it, but you can see the constructor's > >>> signature `SubjectKeyIdentifier(digest)`). > >>> > >>> Alex > >>> > >>> On Thu, Mar 13, 2025 at 5:32 PM Robert Moskowitz <r...@htt-consult.com> > >>> wrote: > >>>> Per RFC5280 > >>>> > >>>> Although the common practice for SubjectKeyIdentifier is to SHA1 hash > >>>> the public key, sec 4.2.1.2 clearly states that: > >>>> > >>>> "Other methods of generating unique numbers are also acceptable." > >>>> > >>>> And in fact, using openSSL I have set whatever value I have wanted into > >>>> SubjectKeyIdentifier in the config file. > >>>> > >>>> But it seems in > >>>> > >>>> https://cryptography.io/en/latest/x509/reference/#cryptography.x509.SubjectKeyIdentifier.from_public_key > >>>> > >>>> "digest" is the only allowed option. > >>>> > >>>> For example I have an IPv6 address that the reverse lookup will get you > >>>> all the RR you may need for the thing. So I would want > >>>> > >>>> 2001003ffe3ff805f64b0a656aaee56 > >>>> > >>>> as my SubjectKeyIdentifier > >>>> > >>>> How can I do this? What type does that value need to be? > >>>> > >>>> Of course for AuthorityKeyIdentifier I think can "cheat" by using the > >>>> int value of that ipv6 addr and feeding it in as the serial_number. > >>>> > >>>> thank you > >>>> > >>>> > >>>> _______________________________________________ > >>>> Cryptography-dev mailing list > >>>> Cryptography-dev@python.org > >>>> https://mail.python.org/mailman/listinfo/cryptography-dev > >>> > > > -- All that is necessary for evil to succeed is for good people to do nothing. _______________________________________________ Cryptography-dev mailing list Cryptography-dev@python.org https://mail.python.org/mailman/listinfo/cryptography-dev
