diff --git a/dpe/src/commands/certify_key.rs b/dpe/src/commands/certify_key.rs index 90a40300..9bb09055 100644 --- a/dpe/src/commands/certify_key.rs +++ b/dpe/src/commands/certify_key.rs @@ -458,8 +458,7 @@ mod tests { extension.parsed_extension() { let key_identifier = aki.key_identifier.clone().unwrap(); - // skip first two bytes - first byte is 0x04 der encoding byte and second byte is size byte - assert_eq!(&key_identifier.0[2..], &expected_aki,); + assert_eq!(&key_identifier.0, &expected_aki,); } else { panic!("Extension has wrong type"); } diff --git a/dpe/src/x509.rs b/dpe/src/x509.rs index 8348060b..e968a83e 100644 --- a/dpe/src/x509.rs +++ b/dpe/src/x509.rs @@ -508,7 +508,7 @@ impl CertWriter<'_> { let aki_size = Self::get_key_identifier_size( &measurements.authority_key_identifier, true, - /*explicit=*/ true, + /*explicit=*/ false, )?; // Extension data is sequence -> octet string. To compute size, wrap @@ -1613,7 +1613,7 @@ impl CertWriter<'_> { let key_identifier_size = Self::get_key_identifier_size( &measurements.authority_key_identifier, /*tagged=*/ true, - /*explicit=*/ true, + /*explicit=*/ false, )?; bytes_written += self.encode_byte(Self::OCTET_STRING_TAG)?; bytes_written += self.encode_size_field(Self::get_structure_size( @@ -1946,19 +1946,12 @@ impl CertWriter<'_> { fn encode_key_identifier(&mut self, key_identifier: &[u8]) -> Result { // KeyIdentifier is IMPLICIT field number 0 let mut bytes_written = self.encode_byte(Self::CONTEXT_SPECIFIC | 0x0)?; - bytes_written += self.encode_size_field(Self::get_key_identifier_size( - key_identifier, - /*tagged=*/ true, - /*explicit=*/ false, - )?)?; - - // KeyIdentifier := OCTET STRING - bytes_written += self.encode_tag_field(Self::OCTET_STRING_TAG)?; bytes_written += self.encode_size_field(Self::get_key_identifier_size( key_identifier, /*tagged=*/ false, /*explicit=*/ false, )?)?; + bytes_written += self.encode_bytes(key_identifier)?; Ok(bytes_written) @@ -2779,10 +2772,9 @@ pub(crate) mod tests { assert!(!extension.critical); if let ParsedExtension::AuthorityKeyIdentifier(aki) = extension.parsed_extension() { let key_identifier = aki.key_identifier.clone().unwrap(); - // skip first two bytes - first byte is 0x04 der encoding byte and second byte is size byte // cert is self signed so authority_key_id == subject_key_id assert_eq!( - &key_identifier.0[2..], + key_identifier.0, &expected_key_identifier[..MAX_KEY_IDENTIFIER_SIZE] ); assert!(aki.authority_cert_issuer.is_none()); diff --git a/verification/testing/certifyKey.go b/verification/testing/certifyKey.go index fc7e6270..c264edd7 100644 --- a/verification/testing/certifyKey.go +++ b/verification/testing/certifyKey.go @@ -425,8 +425,7 @@ func checkCertifyKeyAuthorityKeyIdentifierExtension(t *testing.T, extensions []p if aki.KeyIdentifier == nil { t.Fatal("[ERROR]: The certificate is a CA but the AuthorityKeyIdentifier extension is not present.") } - // skip first two bytes - first byte is 0x04 der encoding byte and second byte is size byte - if !reflect.DeepEqual(aki.KeyIdentifier[2:], IssuerSki) { + if !reflect.DeepEqual(aki.KeyIdentifier, IssuerSki) { t.Errorf("[ERROR]: The value of the authority key identifier %v is not equal to the issuer's subject key identifier %v", aki, IssuerSki) } } else if !ca && aki.KeyIdentifier != nil {