OpenSSL "x509 -pubout" - Export Public Key"

Q

How to calculate the subject key identifier of a certificate uisng OpenSSL commands? I want to see if it matches the "X509v3 Subject Key Identifier" in the certificate.

✍: FYIcenter.com

A

Accoding to the RFC5280 - Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", the Subject Key Identifier is composed of the 160-bit SHA-1 hash of the value of the BIT STRING subjectPublicKey (excluding the tag, length, and number of unused bits).

You can follow this definition and use OpenSSL commands to calculate the Subject Key Identifier from a certificate as shown in the test below:

C:\Users\fyicenter>\local\OpenSSL\openssl

OpenSSL> x509 -pubkey -in twitter.crt -noout > twitter_pub.key

OpenSSL> asn1parse -in twitter_pub.key
    0:d=0  hl=4 l= 290 cons: SEQUENCE
    4:d=1  hl=2 l=  13 cons: SEQUENCE
    6:d=2  hl=2 l=   9 prim: OBJECT            :rsaEncryption
   17:d=2  hl=2 l=   0 prim: NULL
   19:d=1  hl=4 l= 271 prim: BIT STRING

OpenSSL> asn1parse -strparse 19 -in twitter_pub.key -out twitter_pub_key.bit
    0:d=0  hl=4 l= 266 cons: SEQUENCE
    4:d=1  hl=4 l= 257 prim: INTEGER           :C20898FA67000555B60B610E1AD7B58A
C1CC03BE3C17FB94F7D9FA4C9F46609C6AAD7D3AE5345A12B0B20BAAEC96E158812FAD60AB479369
E3847553C1F90FB946AB9EEAAB18988C6854085165431A6197275C5E0F15E9CD16ABDD515B762FFC
D311999DD2A63D870275E62496E2043E149CFA7EB871423700B5B08AE233958BDA3FFB634D3762D5
1C02EA307EDC0D53D5D40BB8A310136D1F89940B6A9444672982ADE6D5B052FC955706D6D1226684
D3922A02C79456DF553FC213F27C167833A153F777975CB79605D544F4BFEF83225D7AE68FE4ACDF
349EB60F0A53F01ADB71376992F614A91C7565724524093B2C6AD7B969A5DCDF6D9C6BFCC6A25B31
  265:d=1  hl=2 l=   3 prim: INTEGER           :010001

OpenSSL> dgst -sha1 twitter_pub_key.bit
SHA1(twitter_pub_key.bit)= 9f627bb2880eee1b79e06924e5ba3f47a60b02f0

OpenSSL> x509 -text -in twitter.crt -noout
...
            X509v3 Subject Key Identifier:
                9F:62:7B:B2:88:0E:EE:1B:79:E0:69:24:E5:BA:3F:47:A6:0B:02:F0
...

Notes about the test:

  • "x509 -pubkey ..." command extrats the public key from the certificate.
  • "asn1parse -in twitter_pub.key" command displays the public key file structure, showing that the "BIT STRING" value of the public key is at 0x19 offset position.
  • "asn1parse -strparse 19 ..." command extracts the "BIT STRING" value at 0x19 offset position and save it in file.
  • "dgst -sha1 ..." command gets the SHA-1 hash of the "BIT STRING" value.
  • "x509 -text ..." command displays details of the certificate including the Subject Key Identifier, which matches the SHA-1 hash from the "dgst -sha1 ..." command.

Note that not all certificates stores the Subject Key Identifier value.

 

OpenSSL "verify" Command

OpenSSL "x509 -pubkey" - Export Public Key"

OpenSSL "x509" Command

⇑⇑ OpenSSL Tutorials

2016-10-17, 7801👍, 0💬