The hash method isn't explicitly encoded in the certificate, but it can be derived if you have the SubjectPublicKey(Info). If you have the public key, then you can calculate the IDs using the various methods and seeing which one matches the ID encoded in the certificate. The first method defined in RFC 5280, section https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.2 (SHA-1 of the subjectPublicKey field (not the SPKI as a whole)) is by far the most common method. The two methods in RFC 5280 require only the subjectPublicKey, whereas some of the methods defined in RFC 7093 use the SubjectPublicKeyInfo as a whole. Thanks, Corey -----Original Message----- From: openssl-users <openssl-users-bounces@xxxxxxxxxxx> On Behalf Of Robert Moskowitz Sent: Wednesday, June 7, 2023 8:57 AM To: openssl-users@xxxxxxxxxxx Subject: Subject Key Identifier hash method I am trying to figure out if the Subject Key Identifier hash method is carried in the certificate. An asn1dump of a "regular" cert shows: 276:d=4 hl=2 l= 29 cons: SEQUENCE 278:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Subject Key Identifier 283:d=5 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:04144F0C1A75F4AF13DC67EC18465C020FC22A82616B 307:d=4 hl=2 l= 31 cons: SEQUENCE 309:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Authority Key Identifier 314:d=5 hl=2 l= 24 prim: OCTET STRING [HEX DUMP]:30168014A8885F91878E4ED6AA2056C535E2212413F96BA2 I cannot easily see if the hashing method is contained here. I am assuming it is a sha2 hash of the EdDSA public keys, but how do I tell? Of course I am asking as I want to use the rfc9374 DETs here. thanks
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
