diff options
| author | Jack Lloyd <[email protected]> | 2018-04-16 07:47:58 -0400 |
|---|---|---|
| committer | Jack Lloyd <[email protected]> | 2018-04-16 07:47:58 -0400 |
| commit | 5a05ea6b00d672d521eabb4250dfbd997ff0700d (patch) | |
| tree | 6941ad853f2fcb394f89bf0eb979c0f60c448dad | |
| parent | 7398cea6fd7bfc1012a8b17a5034c095777195d6 (diff) | |
Truncate new SKIDs to 192 bits
More than long enough, and saves quite a bit of space especially for
SHA-512 certificates.
| -rw-r--r-- | news.rst | 5 | ||||
| -rw-r--r-- | src/lib/x509/x509_ext.cpp | 6 | ||||
| -rw-r--r-- | src/lib/x509/x509self.cpp | 9 |
3 files changed, 14 insertions, 6 deletions
@@ -13,6 +13,11 @@ Version 2.7.0, Not Yet Released * XMSS signature verification did not check that the signature was of the expected length which could lead to a crash. (GH #1537) +* Botan generates X.509 subject key IDs by hashing the public key with + whatever hash function is being used to sign the certificate. However + especially for SHA-512 this caused SKIDs that were far longer than + necessary. Now all SKIDs are truncated to 192 bits. + * Small optimizations for ECC (#1531) * In the test suite use ``mkstemp`` to create temporary files instead diff --git a/src/lib/x509/x509_ext.cpp b/src/lib/x509/x509_ext.cpp index b969ad7cf..c0fe904bc 100644 --- a/src/lib/x509/x509_ext.cpp +++ b/src/lib/x509/x509_ext.cpp @@ -434,6 +434,12 @@ Subject_Key_ID::Subject_Key_ID(const std::vector<uint8_t>& pub_key, const std::s hash->update(pub_key); hash->final(m_key_id.data()); + + // Truncate longer hashes, 192 bits here seems plenty + const size_t max_skid_len = (192 / 8); + if(m_key_id.size() > max_skid_len) + m_key_id.resize(max_skid_len); + m_key_id[0] = 0x44; } /* diff --git a/src/lib/x509/x509self.cpp b/src/lib/x509/x509self.cpp index 78bbe8615..32f21c101 100644 --- a/src/lib/x509/x509self.cpp +++ b/src/lib/x509/x509self.cpp @@ -82,13 +82,10 @@ X509_Certificate create_self_signed_cert(const X509_Cert_Options& opts, extensions.add_new(new Cert_Extension::Key_Usage(constraints), true); } - std::unique_ptr<HashFunction> hash(HashFunction::create_or_throw(hash_fn)); - hash->update(pub_key); - std::vector<uint8_t> skid(hash->output_length()); - hash->final(skid.data()); + std::unique_ptr<Cert_Extension::Subject_Key_ID> skid(new Cert_Extension::Subject_Key_ID(pub_key, hash_fn)); - extensions.add_new(new Cert_Extension::Subject_Key_ID(skid)); - extensions.add_new(new Cert_Extension::Authority_Key_ID(skid)); + extensions.add_new(new Cert_Extension::Authority_Key_ID(skid->get_key_id())); + extensions.add_new(skid.release()); extensions.add_new( new Cert_Extension::Subject_Alternative_Name(subject_alt)); |