ajpauwels
commented
3 years ago Never mind, this is my fault. I need to encode the value of the subject key identifier as a DER-encoded string before passing it in. This crate does everything correctly.
Closed ajpauwels closed 3 years ago
ajpauwels
commented
3 years ago Never mind, this is my fault. I need to encode the value of the subject key identifier as a DER-encoded string before passing it in. This crate does everything correctly.
As specified in section 4.2 of RFC5280, the value of an extension should be an OCTET STRING wrapping the DER-encoded OCTET STRING of the actual value of the extension (https://datatracker.ietf.org/doc/html/rfc5280#section-4.2).
Currently, the x509 crate writes the DER-encoded value directly, without the wrapping OCTET STRING.
I'll PR a change shortly.
Example of correct cert (using SO's TLS cert, look at the Subject Key Identifier): -----BEGIN CERTIFICATE----- MIIG9DCCBdygAwIBAgISA8DYut7wo8SXZw8vWUxBoRJBMA0GCSqGSIb3DQEBCwUA MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD EwJSMzAeFw0yMTA4MTUxMzA3MzRaFw0yMTExMTMxMzA3MzJaMB4xHDAaBgNVBAMM Eyouc3RhY2tleGNoYW5nZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK AoIBAQDn0tiB4v6DOp+5qNQD6VbHE1Hs9VBOxOl2gMOt4wJEB8DjuW/0fgrhDo+N xstje4QENhdrF9Ag4HHId4zeXksVM8VztsfeIZxWQpuk/Zqi/Tzr3de0qB20F4oo se3nX9mswBA+mI9/L3SPq+BkCXb0LMVOu1Wfk1TQ/NNzUHXtr3z5Nt7TzDB3vp/V A0zzzTtIy4GoYoAllAuMWBm4OJMrviFbvzcmzbvqESGnr9+CTZA/9TL2R0QwA+gb Es2baX7RWe1qYKD7usC6dxMSzrmR4ukI5wqmSQErRx/eygw5RgX2Wkk29t8e2ZQh YWDFH4KI7MfJsP/o4YYILtsMH45tAgMBAAGjggQWMIIEEjAOBgNVHQ8BAf8EBAMC BaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAw HQYDVR0OBBYEFEqp8UV9sl+gsvzEJBIh/QpD9k+XMB8GA1UdIwQYMBaAFBQusxe3 WFbLrlAJQOYfr52LFMLGMFUGCCsGAQUFBwEBBEkwRzAhBggrBgEFBQcwAYYVaHR0 cDovL3IzLm8ubGVuY3Iub3JnMCIGCCsGAQUFBzAChhZodHRwOi8vcjMuaS5sZW5j ci5vcmcvMIIB5AYDVR0RBIIB2zCCAdeCDyouYXNrdWJ1bnR1LmNvbYISKi5ibG9n b3ZlcmZsb3cuY29tghIqLm1hdGhvdmVyZmxvdy5uZXSCGCoubWV0YS5zdGFja2V4 Y2hhbmdlLmNvbYIYKi5tZXRhLnN0YWNrb3ZlcmZsb3cuY29tghEqLnNlcnZlcmZh dWx0LmNvbYINKi5zc3RhdGljLm5ldIITKi5zdGFja2V4Y2hhbmdlLmNvbYITKi5z dGFja292ZXJmbG93LmNvbYIVKi5zdGFja292ZXJmbG93LmVtYWlsgg8qLnN1cGVy dXNlci5jb22CDWFza3VidW50dS5jb22CEGJsb2dvdmVyZmxvdy5jb22CEG1hdGhv dmVyZmxvdy5uZXSCFG9wZW5pZC5zdGFja2F1dGguY29tgg9zZXJ2ZXJmYXVsdC5j b22CC3NzdGF0aWMubmV0gg1zdGFja2FwcHMuY29tgg1zdGFja2F1dGguY29tghFz dGFja2V4Y2hhbmdlLmNvbYISc3RhY2tvdmVyZmxvdy5ibG9nghFzdGFja292ZXJm bG93LmNvbYITc3RhY2tvdmVyZmxvdy5lbWFpbIIRc3RhY2tzbmlwcGV0cy5uZXSC DXN1cGVydXNlci5jb20wTAYDVR0gBEUwQzAIBgZngQwBAgEwNwYLKwYBBAGC3xMB AQEwKDAmBggrBgEFBQcCARYaaHR0cDovL2Nwcy5sZXRzZW5jcnlwdC5vcmcwggEE BgorBgEEAdZ5AgQCBIH1BIHyAPAAdgBvU3asMfAxGdiZAKRRFf93FRwR2QLBACkG jbIImjfZEwAAAXtKI6GwAAAEAwBHMEUCIQDzAvPNSd9pkw4ltufhkQYe7dtuGGpM vJKpcxVE/EBQBAIgPE76BeIursp6nH68ScndfOBQcFP9cWtt67GaWG8UIvgAdgB9 PvL4j/+IVWgkwsDKnlKJeSvFDngJfy5ql2iZfiLw1wAAAXtKI6GtAAAEAwBHMEUC IGb5JIi5eKssL2hT7vcYhta+Rg4GiwlvGvH7q/oo186rAiEAls+YZkVezUxcrUwK XMw7Nz2EZx4+dU7WcT2YLUFo74QwDQYJKoZIhvcNAQELBQADggEBAI+QUfE/pcxz Zw6e1XKcamc90v5JFP5gMSn4AHgAHfNeW6lU7RFJ3X7iXFoCX/h1GxaO8TMEW2MA JxXE92Wqga/fByVidzvP01kuYOJhtk8vCQJ6fm4QM+/PrvCuM3AYH45wy9MLVchp tvlCOTkFwl+qVUVpHORZwpt9IzZ3dnDPN+wtRhc9cS7HfTZhgbfbYSJnOcOdIoxL HTtD+tHa4VJ9/HFpgneb145uw+A7k0QGd8gcphf87ms9IcNXp7b8qWKO5DmGttyr SPhFQeLsyHeid6zEYfYwTHgRmBG/FDYqKkcYNR6b+3eGVs4b5O1jmu9cDuvP5hVX 6tallFt1cfk= -----END CERTIFICATE-----
Example of cert outputted by the x509 crate (unwrapped subject key identifier): -----BEGIN CERTIFICATE----- MIIBETCBxKADAgECAhUAmjF5hH2bvRNLfEhFPze3FvlalaAwBQYDK2VwMBIxEDAOBgNVBAMMB3Bh dXdlbHMwHhcNMjEwOTAzMTExMTMwWhcNMzEwMTAxMDAwMDAwWjASMRAwDgYDVQQDDAdwYXV3ZWxz MCowBQYDK2VwAyEAKJtKEGW9dH6IQHi2nt/iLR24Sh5Y6s6k4vpFph5gJsujKzApMCcGA1UdDgQg cKTUcN2KZBWIR8OdTERjtNV+O1x2/+yU8HZd+oEIfKowBQYDK2VwA0EA5qYginD6hbO+vLIGNoPz e756W0/xncApoOSLM53ou885YoleSEsfAeb0tNxB8/1b0dOKypVISijKwj4GRpZXCQ== -----END CERTIFICATE-----
I use this to compare: https://lapo.it/asn1js/