Skip to content

Use issuer SKI for AKI when transferring CSR extensions. #763

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
kaikramer merged 1 commit into from
Mar 5, 2026
Merged

Use issuer SKI for AKI when transferring CSR extensions. #763

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 9 additions & 3 deletions kse/src/main/java/org/kse/crypto/x509/X509ExtensionSetUpdater.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -52,11 +52,12 @@ private X509ExtensionSetUpdater() {
* @param issuerPublicKey New issuer public key
* @param issuerCertName New issuer DN
* @param issuerCertSerialNumber New SN
* @param issuerSkiExt New issuer SKI extension
* @throws CryptoException For example when hash value cannot be calculated
* @throws IOException If the content cannot be encoded
*/
public static void update(X509ExtensionSet extensionSet, PublicKey subjectPublicKey, PublicKey issuerPublicKey,
X500Name issuerCertName, BigInteger issuerCertSerialNumber)
X500Name issuerCertName, BigInteger issuerCertSerialNumber, byte[] issuerSkiExt)
throws CryptoException, IOException {

Set<String> allExtensions = new HashSet<>(extensionSet.getCriticalExtensionOIDs());
Expand All @@ -66,7 +67,7 @@ public static void update(X509ExtensionSet extensionSet, PublicKey subjectPublic

switch (X509ExtensionType.resolveOid(extensionOid)) {
case AUTHORITY_KEY_IDENTIFIER:
updateAKI(extensionSet, extensionOid, issuerPublicKey, issuerCertName, issuerCertSerialNumber);
updateAKI(extensionSet, extensionOid, issuerPublicKey, issuerCertName, issuerCertSerialNumber, issuerSkiExt);
break;
case SUBJECT_KEY_IDENTIFIER:
updateSKI(extensionSet, extensionOid, subjectPublicKey);
Expand All @@ -91,7 +92,7 @@ private static void updateSKI(X509ExtensionSet extensionSet, String extensionOid
}

private static void updateAKI(X509ExtensionSet extensionSet, String extensionOid, PublicKey newIssuerPublicKey,
X500Name newIssuerCertName, BigInteger newIssuerSerialNumber)
X500Name newIssuerCertName, BigInteger newIssuerSerialNumber, byte[] issuerSkiExt)
throws CryptoException, IOException {

// extract old AKI data
Expand All @@ -102,6 +103,11 @@ private static void updateAKI(X509ExtensionSet extensionSet, String extensionOid

// generate new values
byte[] newKeyIdentifier = new KeyIdentifierGenerator(newIssuerPublicKey).generate160BitHashId();
if (issuerSkiExt != null) {
// The *issuer* subject key identifier is the *issued* cert's authority key identifier
newKeyIdentifier = SubjectKeyIdentifier.getInstance(X509Ext.unwrapExtension(issuerSkiExt))
.getKeyIdentifier();
}
GeneralNames newCertIssuer = new GeneralNames(new GeneralName[] { new GeneralName(newIssuerCertName) });

// create new AKI object with same components as before
Expand Down
5 changes: 3 additions & 2 deletions kse/src/main/java/org/kse/gui/dialogs/DGenerateKeyPairCert.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -324,12 +324,13 @@ private void transferNameExtPressed() {
String serialNumberStr = jtfSerialNumber.getText().trim();
BigInteger serialNumber = SerialNumbers.parse(serialNumberStr);
X509ExtensionSetUpdater.update(extensions, keyPair.getPublic(), keyPair.getPublic(),
jdnName.getDistinguishedName(), serialNumber);
jdnName.getDistinguishedName(), serialNumber, null);
} else {
X509ExtensionSetUpdater.update(extensions, keyPair.getPublic(), issuerCert.getPublicKey(),
X500NameUtils.x500PrincipalToX500Name(
issuerCert.getSubjectX500Principal()),
issuerCert.getSerialNumber());
issuerCert.getSerialNumber(),
issuerCert.getExtensionValue(X509ExtensionType.SUBJECT_KEY_IDENTIFIER.oid()));
}
} catch (CryptoException | IOException | NumberFormatException e) {
DError.displayError(this, e);
Expand Down
2 changes: 1 addition & 1 deletion kse/src/main/java/org/kse/gui/dialogs/extensions/DAddExtensions.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -764,7 +764,7 @@ private void loadTemplatePressed() {
extensions = X509ExtensionSet.load(new FileInputStream(loadFile));

X509ExtensionSetUpdater.update(extensions, subjectPublicKey, issuerPublicKey, issuerCertName,
issuerCertSerialNumber);
issuerCertSerialNumber, issuerSki);

reloadExtensionsTable();
selectFirstExtensionInTable();
Expand Down
3 changes: 2 additions & 1 deletion kse/src/main/java/org/kse/gui/dialogs/sign/DSignCsr.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -656,7 +656,8 @@ protected void transferExtensionsPressed() {
X509ExtensionSetUpdater.update(extensions, csrPublicKey, issuerCertificate.getPublicKey(),
X500NameUtils.x500PrincipalToX500Name(
issuerCertificate.getSubjectX500Principal()),
issuerCertificate.getSerialNumber());
issuerCertificate.getSerialNumber(),
issuerCertificate.getExtensionValue(X509ExtensionType.SUBJECT_KEY_IDENTIFIER.oid()));
} catch (CryptoException | IOException e) {
DError.displayError(this, e);
}
Expand Down
Loading