How to validate the Subject Key Identifier (SKI) from a X509 certificate

Some days ago I received an odd complain that some of the Root CAs we use had the wrong Subject Key Identifier (SKI). I knew that the claim was false but I also knew that I'll have to prove it. The guy did dig on our own specifications and calculated the SKI as we required, the hash of the certificate public key but unfortunately the identifiers did not match.

In order to reproduce the problem I extracted the public key of the Root CA, converted to DER, hashed it with SHA1 and verified that indeed the hash did not match. Let’s do a demonstration of what I did with a public available Root CA:

openssl x509 -in GSRootCA-2014.cer -inform DER -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: 02:00:00:00:00:00:d6:78:b7:94:05 Signature Algorithm: md5WithRSAEncryption Issuer: C=BE, O=GlobalSign nv-sa, OU=Root CA, CN=GlobalSign Root CA Validity Not Before: Sep 1 12:00:00 1998 GMT Not After : Jan 28 12:00:00 2014 GMT Subject: C=BE, O=GlobalSign nv-sa, OU=Root CA, CN=GlobalSign Root CA Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:da:0e:e6:99:8d:ce:a3:e3:4f:8a:7e:fb:f1:8b: 83:25:6b:ea:48:1f:f1:2a:b0:b9:95:11:04:bd:f0: 63:d1:e2:67:66:cf:1c:dd:cf:1b:48:2b:ee:8d:89: 8e:9a:af:29:80:65:ab:e9:c7:2d:12:cb:ab:1c:4c: 70:07:a1:3d:0a:30:cd:15:8d:4f:f8:dd:d4:8c:50: 15:1c:ef:50:ee:c4:2e:f7:fc:e9:52:f2:91:7d:e0: 6d:d5:35:30:8e:5e:43:73:f2:41:e9:d5:6a:e3:b2: 89:3a:56:39:38:6f:06:3c:88:69:5b:2a:4d:c5:a7: 54:b8:6c:89:cc:9b:f9:3c:ca:e5:fd:89:f5:12:3c: 92:78:96:d6:dc:74:6e:93:44:61:d1:8d:c7:46:b2: 75:0e:86:e8:19:8a:d5:6d:6c:d5:78:16:95:a2:e9: c8:0a:38:eb:f2:24:13:4f:73:54:93:13:85:3a:1b: bc:1e:34:b5:8b:05:8c:b9:77:8b:b1:db:1f:20:91: ab:09:53:6e:90:ce:7b:37:74:b9:70:47:91:22:51: 63:16:79:ae:b1:ae:41:26:08:c8:19:2b:d1:46:aa: 48:d6:64:2a:d7:83:34:ff:2c:2a:c1:6c:19:43:4a: 07:85:e7:d3:7c:f6:21:68:ef:ea:f2:52:9f:7f:93: 90:cf Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: critical Certificate Sign, CRL Sign X509v3 Subject Key Identifier: 60:7B:66:1A:45:0D:97:CA:89:50:2F:7D:04:CD:34:A8:FF:FC:FD:4B X509v3 Basic Constraints: critical CA:TRUE Signature Algorithm: md5WithRSAEncryption ae:aa:9f:fc:b7:d2:cb:1f:5f:39:29:28:18:9e:34:c9:6c:4f: 6f:1a:f0:64:a2:70:4a:4f:13:86:9b:60:28:9e:e8:81:49:98: 7d:0a:bb:e5:b0:9d:3d:36:db:8f:05:51:ff:09:31:2a:1f:dd: 89:77:9e:0f:2e:6c:95:04:ed:86:cb:b4:00:3f:84:02:4d:80: 6a:2a:2d:78:0b:ae:6f:2b:a2:83:44:83:1f:cd:50:82:4c:24: af:bd:f7:a5:b4:c8:5a:0f:f4:e7:47:5e:49:8e:37:96:fe:9a: 88:05:3a:d9:c0:db:29:87:e6:19:96:47:a7:3a:a6:8c:8b:3c: 77:fe:46:63:a7:53:da:21:d1:ac:7e:49:a2:4b:e6:c3:67:59: 2f:b3:8a:0e:bb:2c:bd:a9:aa:42:7c:35:c1:d8:7f:d5:a7:31: 3a:4e:63:43:39:af:08:b0:61:34:8c:d3:98:a9:43:34:f6:0f: 87:29:3b:9d:c2:56:58:98:77:c3:f7:1b:ac:f6:9d:f8:3e:aa: a7:54:45:f0:f5:f9:d5:31:65:fe:6b:58:9c:71:b3:1e:d7:52: ea:32:17:fc:40:60:1d:c9:79:24:b2:f6:6c:fd:a8:66:0e:82: dd:98:cb:da:c2:44:4f:2e:a0:7b:f2:f7:6b:2c:76:11:84:46: 8a:78:a3:e3

Now let's calculate the SHA1 of the public key:

openssl x509 -in GSRootCA-2014.cer -inform DER -pubkey -noout| openssl rsa -pubin -outform DER| openssl dgst -c -sha1 87:db:d4:5f:b0:92:8d:4e:1d:f8:15:67:e7:f2:ab:af:d6:2b:67:75

As reported, both hashes did not match!

At this point I was a bit confused and decided to read some documentation before moving forward. After some reading I found the answer in the 4.2.1.2 section of the the RFC3280 “Internet X.509 Public Key Infrastructure - Certificate and Certificate Revocation List (CRL) Profile ” (http://www.ietf.org/rfc/rfc3280.txt)

4.2.1.2 Subject Key Identifier The subject key identifier extension provides a means of identifying certificates that contain a particular public key. To facilitate certification path construction, this extension MUST appear in all conforming CA certificates, that is, all certificates including the basic constraints extension (section 4.2.1.10) where the value of cA is TRUE. The value of the subject key identifier MUST be the value placed in the key identifier field of the Authority Key Identifier extension (section 4.2.1.1) of certificates issued by the subject of this certificate. For CA certificates, subject key identifiers SHOULD be derived from the public key or a method that generates unique values. Two common methods for generating key identifiers from the public key are: (1) The keyIdentifier is composed of the 160-bit SHA-1 hash of the value of the BIT STRING subjectPublicKey (excluding the tag, length, and number of unused bits). (2) The keyIdentifier is composed of a four bit type field with the value 0100 followed by the least significant 60 bits of the SHA-1 hash of the value of the BIT STRING subjectPublicKey (excluding the tag, length, and number of unused bit string bits).

In our case we use method 1) for the SKI but in my calculations I was taking into consideration the whole public key, including tag, length, etc, while I should have used the key bits only.
With the following command I was able to locate the “BIT STRING” with the naked key:

openssl x509 -noout -in GSRootCA-2014.cer -inform DER -pubkey| openssl asn1parse 0:d=0 hl=4 l= 290 cons: SEQUENCE 4:d=1 hl=2 l= 13 cons: SEQUENCE 6:d=2 hl=2 l= 9 prim: OBJECT :rsaEncryption 17:d=2 hl=2 l= 0 prim: NULL 19:d=1 hl=4 l= 271 prim: BIT STRING

And I only need to extract it and put it on a file in DER format:

openssl x509 -noout -in GSRootCA-2014.cer -inform DER -pubkey| openssl asn1parse -strparse 19 -out pub.der 0:d=0 hl=4 l= 266 cons: SEQUENCE 4:d=1 hl=4 l= 257 prim: INTEGER :DA0EE6998DCEA3E34F8A7EFBF18B83256BEA481FF12AB0B995110... DDCF1B482BEE8D898E9AAF298065ABE9C72D12CBAB1C4C7007A13D0A30CD158D4FF8DDD4... 73F241E9D56AE3B2893A5639386F063C88695B2A4DC5A754B86C89CC9BF93CCAE5FD89F5... 6D6CD5781695A2E9C80A38EBF224134F73549313853A1BBC1E34B58B058CB9778BB1DB1F... 2608C8192BD146AA48D6642AD78334FF2C2AC16C19434A0785E7D37CF62168EFEAF2529F... 265:d=1 hl=2 l= 3 prim: INTEGER :010001

The remaining part was to calculate the SHA1 hash which was the same as the SKI:

openssl dgst -c -sha1 pub.der SHA1(pub.der)= 60:7b:66:1a:45:0d:97:ca:89:50:2f:7d:04:cd:34:a8:ff:fc:fd:4b

The same method was used to verify the SKI of a Root CA using SHA256 as a hashing algorithm.