c - 如何从 C 中的公钥创建 AuthorityKeyIdentifier？

Question

我正在使用 openssl 创建一个自签名证书。

我使用 openssl 函数创建了一个 key 对 RSA_generate_key() :

key = RSA_generate_key(1024, 65537, null, 0);

现在，我想生成 Authority Key Identifier对于自签名证书。

RFC 说:

The value of the keyIdentifier field SHOULD be derived from thepublic key used to verify the certificate's signature or a method that generates unique values. Two common methods for generating keyidentifiers from the public key are described in Section 4.2.1.2.

好的。我们来看一下。在提到的第 4.2.1.2 节中，描述说:

(1) The keyIdentifier is composed of the 160-bit SHA-1 hash of thevalue of the BIT STRING subjectPublicKey (excluding the tag,length, and number of unused bits).

(2) The keyIdentifier is composed of a four-bit type field withthe value 0100 followed by the least significant 60 bits ofthe SHA-1 hash of the value of the BIT STRINGsubjectPublicKey (excluding the tag, length, and number ofunused bits).

如果我想使用版本 (1):如何获取要散列的数据以创建有效的授权 key 标识符？

Answer 1

首先您需要创建证书。然后添加权限 key 标识符扩展如下:

add_ext(YourX509SelfSignedCert, NID_authority_key_identifier, "keyid,issuer");

你也可以只使用keyid，有一篇很好的文章说用哪个here