Solved? - Re: Subject Key Identifier using SHAKE

Robert Moskowitz <rgm@xxxxxxxxxxxxxxx> · Tue, 17 Dec 2024 12:01:34 -0500

I think I found the list of supported digests:

openssl list -digest-algorithms

And I can "just" put in my config:

default-md = SHAKE128

And since my PK algorithm is EDDSA25519, the digest is only? used for SKID.

Legacy:
  RSA-MD4 => MD4
  RSA-MD5 => MD5
  RSA-RIPEMD160 => RIPEMD160
  RSA-SHA1 => SHA1
  RSA-SHA1-2 => RSA-SHA1
  RSA-SHA224 => SHA224
  RSA-SHA256 => SHA256
  RSA-SHA3-224 => SHA3-224
  RSA-SHA3-256 => SHA3-256
  RSA-SHA3-384 => SHA3-384
  RSA-SHA3-512 => SHA3-512
  RSA-SHA384 => SHA384
  RSA-SHA512 => SHA512
  RSA-SHA512/224 => SHA512-224
  RSA-SHA512/256 => SHA512-256
  RSA-SM3 => SM3
  BLAKE2b512
  BLAKE2s256
  id-rsassa-pkcs1-v1_5-with-sha3-224 => SHA3-224
  id-rsassa-pkcs1-v1_5-with-sha3-256 => SHA3-256
  id-rsassa-pkcs1-v1_5-with-sha3-384 => SHA3-384
  id-rsassa-pkcs1-v1_5-with-sha3-512 => SHA3-512
  MD4
  md4WithRSAEncryption => MD4
  MD5
  MD5-SHA1
  md5WithRSAEncryption => MD5
  ripemd => RIPEMD160
  RIPEMD160
  ripemd160WithRSA => RIPEMD160
  rmd160 => RIPEMD160
  SHA1
  sha1WithRSAEncryption => SHA1
  SHA224
  sha224WithRSAEncryption => SHA224
  SHA256
  sha256WithRSAEncryption => SHA256
  SHA3-224
  SHA3-256
  SHA3-384
  SHA3-512
  SHA384
  sha384WithRSAEncryption => SHA384
  SHA512
  SHA512-224
  sha512-224WithRSAEncryption => SHA512-224
  SHA512-256
  sha512-256WithRSAEncryption => SHA512-256
  sha512WithRSAEncryption => SHA512
  SHAKE128
  SHAKE256
  SM3
  sm3WithRSAEncryption => SM3
  ssl3-md5 => MD5
  ssl3-sha1 => SHA1
  whirlpool
Provided:
  { 2.16.840.1.101.3.4.2.10, SHA3-512 } @ default
  { 1.2.156.10197.1.401, SM3 } @ default
  { 1.3.6.1.4.1.1722.12.2.2.8, BLAKE2S-256, BLAKE2s256 } @ default
  { 2.16.840.1.101.3.4.2.8, SHA3-256 } @ default
  { 2.16.840.1.101.3.4.2.7, SHA3-224 } @ default
  { 2.16.840.1.101.3.4.2.2, SHA-384, SHA2-384, SHA384 } @ default
  { 2.16.840.1.101.3.4.2.3, SHA-512, SHA2-512, SHA512 } @ default
  { 2.16.840.1.101.3.4.2.5, SHA-512/224, SHA2-512/224, SHA512-224 } @ 
default
  { 2.16.840.1.101.3.4.2.12, SHAKE-256, SHAKE256 } @ default
  { 2.16.840.1.101.3.4.2.1, SHA-256, SHA2-256, SHA256 } @ default
  { 1.3.14.3.2.26, SHA-1, SHA1, SSL3-SHA1 } @ default
  { 2.16.840.1.101.3.4.2.9, SHA3-384 } @ default
  { 2.16.840.1.101.3.4.2.11, SHAKE-128, SHAKE128 } @ default
  MD5-SHA1 @ default
  { 1.3.36.3.2.1, RIPEMD, RIPEMD-160, RIPEMD160, RMD160 } @ default
  { 1.2.840.113549.2.5, MD5, SSL3-MD5 } @ default
  { 2.16.840.1.101.3.4.2.4, SHA-224, SHA2-224, SHA224 } @ default
  { 1.3.6.1.4.1.1722.12.2.1.16, BLAKE2B-512, BLAKE2b512 } @ default
  { 2.16.840.1.101.3.4.2.6, SHA-512/256, SHA2-512/256, SHA512-256 } @ 
default
  { KECCAK-KMAC-128, KECCAK-KMAC128 } @ default
  { KECCAK-KMAC-256, KECCAK-KMAC256 } @ default
  NULL @ default

On 12/16/24 13:06, Robert Moskowitz wrote:
How do I set up a config file so that the Subject Key Identifier is 
calculated using SHAKE128?

Specific use case wants a standards-based hash that is small.  And 
SHAKE128 fits the bill.

I have spent the day trying to find out where this is set in the 
config and I don't see where hash in

subjectKeyIdentifier = hash

is set.  Is it what is set in default_md?

Or do I just provide shake128?

thanks

--
You received this message because you are subscribed to the Google Groups "openssl-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to openssl-users+unsubscribe@xxxxxxxxxxx.
To view this discussion visit https://groups.google.com/a/openssl.org/d/msgid/openssl-users/d309b8b8-9f59-46a7-9a60-018f2bc2d305%40htt-consult.com.