On Wed, Mar 25, 2020 at 05:47:01PM +0100, Dirk wrote:
> >> My expectation (maybe wrong) is that the serial and the issuer name belong to
> >> the same X509 certificate that the key id belongs to.
> >
> > Your expectation is "wrong". The issuer DN in the AKID is in fact
> > supposed to be the issuer's issuer. It would be redundant to
> > encode the issuer DN there, it is already present in the EE
> > certificate.
>
> Thank you Victor. Can you point me to the rfc that defines this?
You could just save time and take my word for it, based on the logical
argument that the issuer public key is identified by the serial number
and DN of the CA that signed its certificate (the combination required
to be unique) and that repeating the EE issuer DN would be redundant.
The text in RFC 5280 is not terribly clear, but is basically a brief
restatement of X.509.
If you really want to puzzle over more text see (page 24, physical page
34 of):
http://handle.itu.int/11.1002/1000/9590-en?locatt=format:pdf
8.2.2.1 Authority key identifier extension
This field, which may be used as either a certificate extension or
CRL extension, identifies the public key to be used to verify the
signature on this certificate or CRL. It enables distinct keys used
by the same CA to be distinguished (e.g., as key updating occurs).
This field is defined as follows:
authorityKeyIdentifier EXTENSION ::= {
SYNTAX AuthorityKeyIdentifier IDENTIFIED BY id-ce-authorityKeyIdentifier
}
AuthorityKeyIdentifier ::= SEQUENCE {
keyIdentifier [0] KeyIdentifier OPTIONAL
authorityCertIssuer [1] GeneralNames OPTIONAL
authorityCertSerialNumber [2] CertificateSerialNumber OPTIONAL }
( WITH COMPONENTS {..., authorityCertIssuer PRESENT, authorityCertSerialNumber PRESENT} |
WITH COMPONENTS {..., authorityCertIssuer ABSENT, authorityCertSerialNumber ABSENT} )
KeyIdentifier ::= OCTET STRING
The key may be identified by an explicit key identifier in the
keyIdentifier component, by identification of a certificate for the
key (giving certificate issuer in the authorityCertIssuer component
and certificate serial number in the authorityCertSerialNumber
component), or by both explicit key identifier and identification of
a certificate for the key. If both forms of identification are used
then the certificate or CRL issuer shall ensure they are consistent.
A key identifier shall be unique with respect to all key identifiers
for the issuing authority for the certificate or CRL containing the
extension. An implementation which supports this extension is not
required to be able to process all name forms in the
authorityCertIssuer component. (See 8.3.2.1 for details of the
GeneralNames type.)
Certification authorities shall assign certificate serial numbers
such that every (issuer, certificate serial number) pair uniquely
identifies a single certificate. The keyIdentifier form can be used
to select CA certificates during path construction. The
authorityCertIssuer, authoritySerialNumber pair can only be used to
provide preference to one certificate over others during path
construction.
This extension is always non-critical.
--
Viktor.
