search

oxidecomputer / pki-playground

Tool for generating non-trivial X.509 certificate chains
Mozilla Public License 2.0
29 stars 2 forks source link

failed to set `authorityKeyIdentifier` in root cert #89

Closed flihp closed 6 months ago

flihp commented 7 months ago

The authorityKeyIdentifier is defined here: https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.1. We're able to set this field for certs that aren't the root / self-signed. Attempts to set this field on a root / self-signed cert produces an error. For input:

key-pair "root" {
    ed25519
}

entity "root" {
    country-name "foo"
    organization-name "bar"
    common-name "baz"
}

certificate "root" {
    issuer-key "root"
    issuer-certificate "root"
    subject-entity "root"
    subject-key "root"

    not-after "9999-12-31T23:59:59Z"
    extensions {
        authority-key-identifier critical=false {
            key-id
        }
    }
    serial-number "00"
}

the command to generate the cert fails with the following:

$ cargo run -- --config examples/authority-key-identifier.kdl generate-key-pairs
    Finished dev [unoptimized + debuginfo] target(s) in 0.03s
     Running `target/debug/pki-playground --config examples/authority-key-identifier.kdl generate-key-pairs`
Writing key pair to "root.key.pem"
$ cargo run -- --config examples/authority-key-identifier.kdl generate-certificates
    Finished dev [unoptimized + debuginfo] target(s) in 0.03s
     Running `target/debug/pki-playground --config examples/authority-key-identifier.kdl generate-certificates`
Error:   × Unable to load issuer certificate "root" from file "root.cert.der"
  ╰─▶ No such file or directory (os error 2)

It appears as though we're only able to generate this field for certs with a parent that exists on disk. All of this said it doesn't make a ton of sense to set this field on a root cert because it'll be identical to the subject-key-identifier and that one works fine. Still, it's a valid config for a cert, and the RFC states that for self-signed certs it MAY be omitted (implying that it's not required). AFAIK openssl ca generates self-signed certs w/ both the authorityKeyIdentifier and the subjectKeyIdentifier set so I'd say we should support this config unless the work is prohibitively expensive.

flihp commented 7 months ago

This can be worked around by identifying the issuer through the issuer-key instead of issuer-certificate node. We only need the key to generate authority-key-identifier so generating it instead of copying it from the issuer-certificate works fine.