Add PreSpecified(Vec<u8>) option to KeyIdMethod.

If using from_ca_cert_der/_pem, the key_identifier_method would always
be set to Sha256, which is not always true. If using OpenSSL for example
SHA1 would be used.

If the provided CA certificate contains a SubjectKeyIdentifier extension,
then this option will be automatically set.

Fixes #195.

rcgen/src/lib.rs

@@ -611,6 +611,15 @@ impl CertificateParams {
 		let name_constraints = Self::convert_x509_name_constraints(&x509)?;
 		let serial_number = Some(x509.serial.to_bytes_be().into());
 
+		let mut key_identifier_method = KeyIdMethod::Sha256;
+		for ext in x509.extensions() {
+			if let x509_parser::extensions::ParsedExtension::SubjectKeyIdentifier(v) =
+				ext.parsed_extension()
+			{
+				key_identifier_method = KeyIdMethod::PreSpecified(v.0.to_vec());
+			}
+		}
+
 		Ok(CertificateParams {
 			alg,
 			is_ca,
@@ -619,6 +628,7 @@ impl CertificateParams {
 			extended_key_usages,
 			name_constraints,
 			serial_number,
+			key_identifier_method,
 			distinguished_name: dn,
 			key_pair: Some(key_pair),
 			not_before: validity.not_before.to_datetime(),
@@ -1128,10 +1138,13 @@ impl CertificateParams {
 	/// This key identifier is used in the SubjectKeyIdentifier X.509v3 extension.
 	fn key_identifier<K: PublicKeyData>(&self, pub_key: &K) -> Vec<u8> {
 		// Decide which method from RFC 7093 to use
-		let digest_method = match self.key_identifier_method {
+		let digest_method = match &self.key_identifier_method {
 			KeyIdMethod::Sha256 => &digest::SHA256,
 			KeyIdMethod::Sha384 => &digest::SHA384,
 			KeyIdMethod::Sha512 => &digest::SHA512,
+			KeyIdMethod::PreSpecified(b) => {
+				return b.to_vec();
+			},
 		};
 		let digest = digest::digest(digest_method, pub_key.raw_bytes());
 		let truncated_digest = &digest.as_ref()[0..20];
@@ -1347,6 +1360,8 @@ pub enum KeyIdMethod {
 	Sha384,
 	/// RFC 7093 method 3
 	Sha512,
+	/// Pre-specified identifier.
+	PreSpecified(Vec<u8>),
 }
 
 /// Helper to obtain an `OffsetDateTime` from year, month, day values