search

spacemonkeygo / openssl

OpenSSL bindings for Go
http://godoc.org/github.com/spacemonkeygo/openssl
Apache License 2.0
473 stars 236 forks source link

wrong X509v3 Authority Key Identifier #101

Closed SevenWhite closed 5 years ago

SevenWhite commented 5 years ago

Hello! Help me please sign my certificates correct.

I have this code:

func signCertificate(cert, caCert *openssl.Certificate, caKey openssl.PrivateKey) (err error) {
    if err = cert.AddExtensions(map[openssl.NID]string{
        openssl.NID_basic_constraints:        "CA:FALSE",
        openssl.NID_netscape_cert_type:       "client, email",
        openssl.NID_netscape_comment:         "OpenSSL Generated Client Certificate",
        openssl.NID_subject_key_identifier:   "hash",
        openssl.NID_authority_key_identifier: "keyid,issuer",
        openssl.NID_key_usage:                "critical, nonRepudiation, digitalSignature, keyEncipherment",
        openssl.NID_ext_key_usage:            "clientAuth, emailProtection",
    }); err != nil {
        return err
    }

    if err = cert.SetIssuer(caCert); err != nil {
        return err
    }

    return cert.Sign(caKey, openssl.EVP_SHA256)
}

My generated certificate has 'X509v3 Authority Key Identifier' and 'X509v3 Subject Key Identifier' fields the same. This is a problem, because it means that generated certificate is not valid. Could you help me with this problem ?

zeebo commented 5 years ago

Sorry, this doesn't appear to be a problem in the bindings. NID_subject_key_identifier and NID_authority_key_identifier have distinct values that match the definitions in https://github.com/openssl/openssl/blob/f52292be10cb42c25ae83be969d3ad469ea7cb4e/include/openssl/obj_mac.h.