Geek Answers Handbook

What is an RSA key identifier?

I saw key identifiers used in several places, and would like to use them in my program, but I could not find their description. How are they generated?

+7
source share
4 answers

In different formats (PGP, SSH, X.509 certificates), the key identifier has a different meaning. Neither SSH nor X.509 have a β€œdedicated” key identifier concept, but some people use this term (including their software) - in this case it is usually a hash of the public key or certificate in general.

Update: The comments reminded me that the "key identifier" extensions exist in X.509 certificates, and sometimes they are called key identifiers. However, this is not common - usually a hash (also sometimes called a fingerprint) is referred to as a key identifier.

+2
source

Having done this only for my purposes, I will write it while everything is fresh in my head ...

The "official" key identifier (that is, the contents of the "X509v3 Key Identifier" extension in the X509 certificate) is the SHA1 hash of the ASN.1 sequence with DER encoding, consisting of a module and exponent RSA Public Key. This requires collecting three different RFCs and a bit of experimentation to understand how this works.

Some Ruby encoding code looks like this: pass it to the RSA public or private key on stdin:

require 'openssl' pkey = OpenSSL::PKey::RSA.new($stdin.read).public_key seq = OpenSSL::ASN1::Sequence([OpenSSL::ASN1::Integer.new(pkey.n), OpenSSL::ASN1::Integer.new(pkey.e)]) puts Digest::SHA1.hexdigest(seq.to_der).upcase.scan(/../).join(':')
+5
source

In the case of Strongswan, you can display what it calls keyid using its command line utilities. The key point of keyid is that it can be used to identify the actual public key contained in the certificate so that the certificate can change, but by checking keyid, you can check if the key has changed or not.

The pki command will list the keywords for the X.509 certificate as follows (where subjectPublicKeyInfo hash is keyid ):

 pki --keyid --in cert.pem --type x509

Or for the RSA private key:

 pki --keyid --in key.pem

The second ipsec , which can be used to display all the certificates (and config) installed in the /etc/ipsec.d subdirectories (this command will list the certificates and their corresponding keyid that match their subjectPublicKeyInfo hash listed by the pki command):

 ipsec listall

You can also use openssl to generate Strongswan ideas for keyid , which is basically SHA1 of the RSA public key ( sed script just translates '----- BEGIN PUBLIC KEY -----' and END) [Bug after Miki's comment]:

 openssl x509 -in cert.pem -noout -pubkey | sed 's/--.*$//g' | base64 --decode | sha1sum
+2
source

The "key identifier" used for the RSA key in GPG / PGP is the last 8 hexadecimal digits of the key module.

+1
source

More articles:


All Articles