Python variable types are the death of me, as they say.
I pre-date this object stuff and really struggle with it (I coded in 'B').
So burned again.
So please lend a hand.
det is str: <class 'str'> 2001003ffe3ff805f64b0a656aaee568
So I have done:
detb = bytes(det, 'utf-8')
<class 'bytes'> b'2001003ffe3ff805f64b0a656aaee568'
How do I get 'raw"?
thanks
On 3/13/25 6:25 PM, Alex Gaynor wrote:
That's because the string encodings are different.
The digest parameter to SKI is raw bytes, and OpenSSL is showing you
their hex encoding:
import binascii
binascii.unhexlify("32:30:30:31:30:30:33:66:66:65:33:66:66:38:30:35:66:36:34:62:30:61:36:35:36:61:61:65:65:35:36:38".rep\
lace(":", ""))
b'2001003ffe3ff805f64b0a656aaee568'
Alex
On Thu, Mar 13, 2025 at 6:18 PM Robert Moskowitz <r...@htt-consult.com> wrote:
that is not what I am seeing:
builder = builder.add_extension(
x509.SubjectAlternativeName([x509.IPAddress(ipaddress.IPv6Address(deti))
]),critical=True,)
print(type(detb), detb)
ski = x509.SubjectKeyIdentifier(detb)
print(type(ski), ski)
builder = builder.add_extension(ski, critical=False)
certificate = builder.sign(hda_prkey, None)
<class 'bytes'> b'2001003ffe3ff805f64b0a656aaee568'
<class 'cryptography.x509.extensions.SubjectKeyIdentifier'>
<SubjectKeyIdentifier(digest=b'2001003ffe3ff805f64b0a656aaee568')>
X509v3 extensions:
X509v3 Subject Alternative Name: critical
IP Address:2001:3F:FE3F:F805:F64B:A65:6AAE:E568
X509v3 Subject Key Identifier:
32:30:30:31:30:30:33:66:66:65:33:66:66:38:30:35:66:36:34:62:30:61:36:35:36:61:61:65:65:35:36:38
SAN gets the "right" value, SKI does not.
On 3/13/25 6:12 PM, Alex Gaynor wrote:
Notwithstanding that the field is named digest, it can be any value.
If you look at the generated X.509 certificate for any SKI value you
provide, you'll see it ends up in the certificate directly.
Alex
On Thu, Mar 13, 2025 at 6:09 PM Robert Moskowitz <r...@htt-consult.com> wrote:
5280 does not REQUIRE SKI to be a digest. It can be any value you want.
And if fact with openssl directly I can have in my config:
[ usr_cert ]
# Extensions for client certificates (`man x509v3_config`).
subjectKeyIdentifier = $ENV::ski
authorityKeyIdentifier = keyid:always
Where I have:
export ski=2001003FFE3FF8059B0E2860EB0BACDE
e.g.:
X509v3 extensions:
X509v3 Subject Key Identifier:
20:01:00:3F:FE:3F:F8:05:9B:0E:28:60:EB:0B:AC:DE
X509v3 Authority Key Identifier:
20:01:00:3F:FE:3F:F8:05:E8:05:A9:8F:9D:F1:5E:2D
On 3/13/25 5:55 PM, Alex Gaynor wrote:
I don't understand your question. As you can see, the value you pass
as the digest is the same as the value the SKI instance has. And as
the documentation states, digest and key_identifier are aliases for
each other (as attributes on an SKI).
Alex
On Thu, Mar 13, 2025 at 5:53 PM Robert Moskowitz <r...@htt-consult.com> wrote:
I can't see to defeat it digesting the argument:
print(type(detb), detb)
ski = x509.SubjectKeyIdentifier(detb)
print(type(ski), ski)
<class 'bytes'> b'2001003ffe3ff805f64b0a656aaee568'
<class 'cryptography.x509.extensions.SubjectKeyIdentifier'>
<SubjectKeyIdentifier(digest=b'2001003ffe3ff805f64b0a656aaee568')>
I don't WANT detb to be digested. I just want its value in
SubjectKeyIdentifier
I tried, after rereading that web page doc:
ski = x509.SubjectKeyIdentifier(key_identifier=detb)
But that threw an error
On 3/13/25 5:34 PM, Alex Gaynor via Cryptography-dev wrote:
You can pass any bytes value to the constructor:
https://cryptography.io/en/latest/x509/reference/#cryptography.x509.SubjectKeyIdentifier
(Sphinx doesn't highlight it, but you can see the constructor's
signature `SubjectKeyIdentifier(digest)`).
Alex
On Thu, Mar 13, 2025 at 5:32 PM Robert Moskowitz <r...@htt-consult.com> wrote:
Per RFC5280
Although the common practice for SubjectKeyIdentifier is to SHA1 hash
the public key, sec 4.2.1.2 clearly states that:
"Other methods of generating unique numbers are also acceptable."
And in fact, using openSSL I have set whatever value I have wanted into
SubjectKeyIdentifier in the config file.
But it seems in
https://cryptography.io/en/latest/x509/reference/#cryptography.x509.SubjectKeyIdentifier.from_public_key
"digest" is the only allowed option.
For example I have an IPv6 address that the reverse lookup will get you
all the RR you may need for the thing. So I would want
2001003ffe3ff805f64b0a656aaee56
as my SubjectKeyIdentifier
How can I do this? What type does that value need to be?
Of course for AuthorityKeyIdentifier I think can "cheat" by using the
int value of that ipv6 addr and feeding it in as the serial_number.
thank you
_______________________________________________
Cryptography-dev mailing list
Cryptography-dev@python.org
https://mail.python.org/mailman/listinfo/cryptography-dev
_______________________________________________
Cryptography-dev mailing list
Cryptography-dev@python.org
https://mail.python.org/mailman/listinfo/cryptography-dev
