Discuss this help topic in SecureBlackbox Forum

TElSubjectKeyIdentifierExtension class

Properties     Declared in     


TElSubjectKeyIdentifierExtension is a descendant of TElCustomExtension class.

Description

    The following paragraph is taken from RFC 2459 (Housley, et. al.), part 4.2.1.2:

    «The subject key identifier extension provides a means of identifying certificates that contain a particular public key.

    To facilitate chain building, this extension MUST appear in all con- forming CA certificates, that is, all certificates including the basic constraints extension where the value of cA is TRUE. The value of the subject key identifier MUST be the value placed in the key identifier field of the Authority Key Identifier extension of certificates issued by the subject of this certificate.

    For CA certificates, subject key identifiers SHOULD be derived from the public key or a method that generates unique values. Two common methods for generating key identifiers from the public key are:

  • (1) The keyIdentifier is composed of the 160-bit SHA-1 hash of the value of the BIT STRING subjectPublicKey (excluding the tag, length, and number of unused bits).
  • (2) The keyIdentifier is composed of a four bit type field with the value 0100 followed by the least significant 60 bits of the SHA-1 hash of the value of the BIT STRING subjectPublicKey.
    One common method for generating unique values is a monotonically increasing sequence of integers.

    For end entity certificates, the subject key identifier extension provides a means for identifying certificates containing the particular public key used in an application. Where an end entity has obtained multiple certificates, especially from multiple CAs, the subject key identifier provides a means to quickly identify the set of certificates containing a particular public key. To assist applications in identification the appropriate end entity certificate, this extension SHOULD be included in all end entity certificates.

    For end entity certificates, subject key identifiers SHOULD be derived from the public key. Two common methods for generating key identifiers from the public key are identified above.

    Where a key identifier has not been previously established, this specification recommends use of one of these methods for generating keyIdentifiers.

    This extension MUST NOT be marked critical.»

SecureBlackbox uses SHA-1 hash algorithm output as key identifiers.

Properties

Inherited from TElCustomExtension

Declared in

.NET:
  • Namespace: SBX509Ext
  • Assembly: SecureBlackbox
VCL:
  • Unit: SBX509Ext
Java:
  • Package: SecureBlackbox.Base.jar
C++:
  • sbx509ext.h

Discuss this help topic in SecureBlackbox Forum