That's because the string encodings are different.
The digest parameter to SKI is raw bytes, and OpenSSL is showing you
their hex encoding:
>>> import binascii
>>> binascii.unhexlify("32:30:30:31:30:30:33:66:66:65:33:66:66:38:30:35:66:36:34:62:30:61:36:35:36:61:61:65:65:35:36:38".rep\
lace(":", ""))
b'2001003ffe3ff805f64b0a656aaee568'
Alex
On Thu, Mar 13, 2025 at 6:18 PM Robert Moskowitz <r...@htt-consult.com> wrote:
>
> that is not what I am seeing:
>
> builder = builder.add_extension(
> x509.SubjectAlternativeName([x509.IPAddress(ipaddress.IPv6Address(deti))
> ]),critical=True,)
> print(type(detb), detb)
> ski = x509.SubjectKeyIdentifier(detb)
> print(type(ski), ski)
> builder = builder.add_extension(ski, critical=False)
> certificate = builder.sign(hda_prkey, None)
>
> <class 'bytes'> b'2001003ffe3ff805f64b0a656aaee568'
> <class 'cryptography.x509.extensions.SubjectKeyIdentifier'>
> <SubjectKeyIdentifier(digest=b'2001003ffe3ff805f64b0a656aaee568')>
>
> X509v3 extensions:
> X509v3 Subject Alternative Name: critical
> IP Address:2001:3F:FE3F:F805:F64B:A65:6AAE:E568
> X509v3 Subject Key Identifier:
> 32:30:30:31:30:30:33:66:66:65:33:66:66:38:30:35:66:36:34:62:30:61:36:35:36:61:61:65:65:35:36:38
>
> SAN gets the "right" value, SKI does not.
>
> On 3/13/25 6:12 PM, Alex Gaynor wrote:
> > Notwithstanding that the field is named digest, it can be any value.
> >
> > If you look at the generated X.509 certificate for any SKI value you
> > provide, you'll see it ends up in the certificate directly.
> >
> > Alex
> >
> > On Thu, Mar 13, 2025 at 6:09 PM Robert Moskowitz <r...@htt-consult.com>
> > wrote:
> >> 5280 does not REQUIRE SKI to be a digest. It can be any value you want.
> >>
> >> And if fact with openssl directly I can have in my config:
> >>
> >> [ usr_cert ]
> >> # Extensions for client certificates (`man x509v3_config`).
> >> subjectKeyIdentifier = $ENV::ski
> >> authorityKeyIdentifier = keyid:always
> >>
> >> Where I have:
> >>
> >> export ski=2001003FFE3FF8059B0E2860EB0BACDE
> >>
> >> e.g.:
> >>
> >> X509v3 extensions:
> >> X509v3 Subject Key Identifier:
> >> 20:01:00:3F:FE:3F:F8:05:9B:0E:28:60:EB:0B:AC:DE
> >> X509v3 Authority Key Identifier:
> >> 20:01:00:3F:FE:3F:F8:05:E8:05:A9:8F:9D:F1:5E:2D
> >>
> >>
> >> On 3/13/25 5:55 PM, Alex Gaynor wrote:
> >>> I don't understand your question. As you can see, the value you pass
> >>> as the digest is the same as the value the SKI instance has. And as
> >>> the documentation states, digest and key_identifier are aliases for
> >>> each other (as attributes on an SKI).
> >>>
> >>> Alex
> >>>
> >>> On Thu, Mar 13, 2025 at 5:53 PM Robert Moskowitz <r...@htt-consult.com>
> >>> wrote:
> >>>> I can't see to defeat it digesting the argument:
> >>>>
> >>>> print(type(detb), detb)
> >>>> ski = x509.SubjectKeyIdentifier(detb)
> >>>> print(type(ski), ski)
> >>>>
> >>>> <class 'bytes'> b'2001003ffe3ff805f64b0a656aaee568'
> >>>> <class 'cryptography.x509.extensions.SubjectKeyIdentifier'>
> >>>> <SubjectKeyIdentifier(digest=b'2001003ffe3ff805f64b0a656aaee568')>
> >>>>
> >>>> I don't WANT detb to be digested. I just want its value in
> >>>> SubjectKeyIdentifier
> >>>>
> >>>> I tried, after rereading that web page doc:
> >>>>
> >>>> ski = x509.SubjectKeyIdentifier(key_identifier=detb)
> >>>>
> >>>> But that threw an error
> >>>>
> >>>>
> >>>> On 3/13/25 5:34 PM, Alex Gaynor via Cryptography-dev wrote:
> >>>>> You can pass any bytes value to the constructor:
> >>>>> https://cryptography.io/en/latest/x509/reference/#cryptography.x509.SubjectKeyIdentifier
> >>>>> (Sphinx doesn't highlight it, but you can see the constructor's
> >>>>> signature `SubjectKeyIdentifier(digest)`).
> >>>>>
> >>>>> Alex
> >>>>>
> >>>>> On Thu, Mar 13, 2025 at 5:32 PM Robert Moskowitz <r...@htt-consult.com>
> >>>>> wrote:
> >>>>>> Per RFC5280
> >>>>>>
> >>>>>> Although the common practice for SubjectKeyIdentifier is to SHA1 hash
> >>>>>> the public key, sec 4.2.1.2 clearly states that:
> >>>>>>
> >>>>>> "Other methods of generating unique numbers are also acceptable."
> >>>>>>
> >>>>>> And in fact, using openSSL I have set whatever value I have wanted into
> >>>>>> SubjectKeyIdentifier in the config file.
> >>>>>>
> >>>>>> But it seems in
> >>>>>>
> >>>>>> https://cryptography.io/en/latest/x509/reference/#cryptography.x509.SubjectKeyIdentifier.from_public_key
> >>>>>>
> >>>>>> "digest" is the only allowed option.
> >>>>>>
> >>>>>> For example I have an IPv6 address that the reverse lookup will get you
> >>>>>> all the RR you may need for the thing. So I would want
> >>>>>>
> >>>>>> 2001003ffe3ff805f64b0a656aaee56
> >>>>>>
> >>>>>> as my SubjectKeyIdentifier
> >>>>>>
> >>>>>> How can I do this? What type does that value need to be?
> >>>>>>
> >>>>>> Of course for AuthorityKeyIdentifier I think can "cheat" by using the
> >>>>>> int value of that ipv6 addr and feeding it in as the serial_number.
> >>>>>>
> >>>>>> thank you
> >>>>>>
> >>>>>>
> >>>>>> _______________________________________________
> >>>>>> Cryptography-dev mailing list
> >>>>>> Cryptography-dev@python.org
> >>>>>> https://mail.python.org/mailman/listinfo/cryptography-dev
> >
>
--
All that is necessary for evil to succeed is for good people to do nothing.
_______________________________________________
Cryptography-dev mailing list
Cryptography-dev@python.org
https://mail.python.org/mailman/listinfo/cryptography-dev
