add support for encoding SubjectKeyIdentifier to CertificateBuilder
diff --git a/src/_cffi_src/openssl/asn1.py b/src/_cffi_src/openssl/asn1.py
index 44e9de1..c2d4fac 100644
--- a/src/_cffi_src/openssl/asn1.py
+++ b/src/_cffi_src/openssl/asn1.py
@@ -128,6 +128,7 @@
ASN1_BIT_STRING *ASN1_BIT_STRING_new(void);
void ASN1_BIT_STRING_free(ASN1_BIT_STRING *);
int i2d_ASN1_BIT_STRING(ASN1_BIT_STRING *, unsigned char **);
+int i2d_ASN1_OCTET_STRING(ASN1_OCTET_STRING *, unsigned char **);
/* This is not a macro, but is const on some versions of OpenSSL */
int ASN1_BIT_STRING_get_bit(ASN1_BIT_STRING *, int);
ASN1_TIME *M_ASN1_TIME_dup(void *);
diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py
index 2752d98..fdd38fa 100644
--- a/src/cryptography/hazmat/backends/openssl/backend.py
+++ b/src/cryptography/hazmat/backends/openssl/backend.py
@@ -254,6 +254,17 @@
return pp, r
+def _encode_subject_key_identifier(backend, ski):
+ asn1_str = _encode_asn1_str_gc(backend, ski.digest, len(ski.digest))
+ pp = backend._ffi.new("unsigned char **")
+ r = backend._lib.i2d_ASN1_OCTET_STRING(asn1_str, pp)
+ assert r > 0
+ pp = backend._ffi.gc(
+ pp, lambda pointer: backend._lib.OPENSSL_free(pointer[0])
+ )
+ return pp, r
+
+
def _encode_general_name(backend, name):
if isinstance(name, x509.DNSName):
gn = backend._lib.GENERAL_NAME_new()
@@ -1235,6 +1246,8 @@
pp, r = _encode_extended_key_usage(self, extension.value)
elif isinstance(extension.value, x509.SubjectAlternativeName):
pp, r = _encode_subject_alt_name(self, extension.value)
+ elif isinstance(extension.value, x509.SubjectKeyIdentifier):
+ pp, r = _encode_subject_key_identifier(self, extension.value)
elif isinstance(extension.value, x509.AuthorityInformationAccess):
pp, r = _encode_authority_information_access(
self, extension.value
diff --git a/src/cryptography/x509.py b/src/cryptography/x509.py
index 5ed3c09..38d540a 100644
--- a/src/cryptography/x509.py
+++ b/src/cryptography/x509.py
@@ -1811,6 +1811,10 @@
extension = Extension(
OID_AUTHORITY_INFORMATION_ACCESS, critical, extension
)
+ elif isinstance(extension, SubjectKeyIdentifier):
+ extension = Extension(
+ OID_SUBJECT_KEY_IDENTIFIER, critical, extension
+ )
elif isinstance(extension, InhibitAnyPolicy):
extension = Extension(OID_INHIBIT_ANY_POLICY, critical, extension)
elif isinstance(extension, CRLDistributionPoints):
diff --git a/tests/test_x509.py b/tests/test_x509.py
index 4e763e3..1cbff51 100644
--- a/tests/test_x509.py
+++ b/tests/test_x509.py
@@ -1990,6 +1990,42 @@
)
assert ext.value == aia
+ @pytest.mark.requires_backend_interface(interface=RSABackend)
+ @pytest.mark.requires_backend_interface(interface=X509Backend)
+ def test_build_cert_with_ski(self, backend):
+ issuer_private_key = RSA_KEY_2048.private_key(backend)
+ subject_private_key = RSA_KEY_2048.private_key(backend)
+
+ not_valid_before = datetime.datetime(2002, 1, 1, 12, 1)
+ not_valid_after = datetime.datetime(2030, 12, 31, 8, 30)
+
+ ski = x509.SubjectKeyIdentifier.from_public_key(
+ subject_private_key.public_key()
+ )
+
+ builder = x509.CertificateBuilder().serial_number(
+ 777
+ ).issuer_name(x509.Name([
+ x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
+ ])).subject_name(x509.Name([
+ x509.NameAttribute(x509.OID_COUNTRY_NAME, u'US'),
+ ])).public_key(
+ subject_private_key.public_key()
+ ).add_extension(
+ ski, critical=False
+ ).not_valid_before(
+ not_valid_before
+ ).not_valid_after(
+ not_valid_after
+ )
+
+ cert = builder.sign(issuer_private_key, hashes.SHA1(), backend)
+
+ ext = cert.extensions.get_extension_for_oid(
+ x509.OID_SUBJECT_KEY_IDENTIFIER
+ )
+ assert ext.value == ski
+
@pytest.mark.requires_backend_interface(interface=DSABackend)
@pytest.mark.requires_backend_interface(interface=X509Backend)