RE: The value of subject key identifier calculated

Fri, 18 Dec 2009 17:07:08 -0800 

>       From: owner-openssl-us...@openssl.org On Behalf Of tushar ganguli
>       Sent: Friday, 18 December, 2009 00:38

>       Hi Steve,
>       I did what you said (please correct me if I am wrong) and still 
> the ouput is not mappiing, below please find the steps I'd taken:
        
>       1. openssl asn1parse -inform der -in my.key
<snip header>
>       22:d=1  hl=4 l= 607 prim: OCTET STRING      [HEX DUMP]:

607 is awfully large for a pubkey, especially RSA; assuming a normal 
(small) E, it would be about 4750 bits. Also, the usual labelled pubkey 
format (the X.509 PublicKeyInfo) uses a BIT STRING not an OCTET STRING.
Are you sure this is your (extracted/converted) pubkey not your privkey?
607 would be sensible for RSA-1024 privkey in CRT format, as OpenSSL uses.
        
>       2. openssl asn1parse -inform der -in my.key -strparse 22 -out
mypubkey.der
>       3. openssl sha1 -c mypubkey.der
>       SHA1(mypubkey.der)=
8d:51:f3:a7:03:5a:79:ca:14:1c:5f:9d:92:39:32:28:a8:1e:e3:7f

asn1parse -strparse will decode the structure embedded in a field, as here,
but its output is not DER, not even remotely; it's a human-readable dump.

If on Unix try something much more like:
  dd if=my.key of=my.real.key bs=1 skip=26 count=607
  # offset 22 + hl 4 = 26 is the V of the TLV you want
That should get the actual key as DER. To check:
  openssl asn1parse -in my.real.key -inform der
should show you the correct numbers (N,E) of your key.
Then sha1 that file.

If on Windows, there are ports of Unix tools various places.
But they need to correctly select binary versus text open on files.
A decent port of dd should do this, but others (e.g. sed) might not.

Note: the above is for a labelled OCTET STRING, which as above may be wrong.
If you have/get a BIT STRING, you need to drop the 'padbits' octet 
which is counted in the V in DER/BER even though it arguably oughtn't;
add 1 to the hl you add to the starting offset, and subtract 1 from length.

<snip>


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to