Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

pki: calculate Subject Key Identifier according to RFC 5280 #11218

Merged
merged 1 commit into from
Jan 28, 2022

Conversation

oncilla
Copy link
Contributor

@oncilla oncilla commented Mar 26, 2021

Calculate the Subject Key Identifier as suggested in RFC 5280, Section 4.2.1.2

(1) The keyIdentifier is composed of the 160-bit SHA-1 hash of the
value of the BIT STRING subjectPublicKey (excluding the tag,
length, and number of unused bits).

fixes #11153


This change is Reviewable

@vercel vercel bot temporarily deployed to Preview – vault March 26, 2021 20:26 Inactive
@vercel vercel bot temporarily deployed to Preview – vault-storybook March 26, 2021 20:26 Inactive
@oncilla
Copy link
Contributor Author

oncilla commented Mar 26, 2021

Note that this change could potentially be considered a breaking change.

@cipherboy
Copy link
Contributor

Hey @oncilla Do you mind rebasing this? I've begun taking a look at this PR. :-)

@cipherboy cipherboy self-requested a review November 9, 2021 17:42
@cipherboy cipherboy self-assigned this Nov 9, 2021
Calculate the Subject Key Identifier as suggested in RFC 5280, Section 4.2.1.2

> (1) The keyIdentifier is composed of the 160-bit SHA-1 hash of the
value of the BIT STRING subjectPublicKey (excluding the tag,
length, and number of unused bits).

fixes hashicorp#11153
@vercel vercel bot temporarily deployed to Preview – vault-storybook November 13, 2021 12:22 Inactive
@vercel vercel bot temporarily deployed to Preview – vault November 13, 2021 12:22 Inactive
@oncilla
Copy link
Contributor Author

oncilla commented Nov 13, 2021

@cipherboy Rebased and added the changelog entry.

I wonder if this classifies as change, or as improvement. Are there any docs on this?

@cipherboy
Copy link
Contributor

cipherboy commented Nov 17, 2021

Hi @oncilla, I'm not sure if we have any docs on it. I personally feel (and, from historical conversations with the team, think we're generally aligned) that this is a bug more than anything. Dogtag, Let's Encrypt's Boulder, and EJBCA (via BouncyCastle) -- to name a few I looked at -- all appear to use this method for SKID calculation. My 2c.

@cipherboy
Copy link
Contributor

Looks good; thanks for this @oncilla and sorry about the delay :-)

@cipherboy cipherboy merged commit fbb34b0 into hashicorp:main Jan 28, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

pki: calculate Subject Key Identifier according to RFC 5280
4 participants