[pkix] Certificate Encoding Questions

<Steve.Hanna@infineon.com> Thu, 05 September 2019 15:19 UTC

Return-Path: <steve.hanna@infineon.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 48AD81200F9 for <pkix@ietfa.amsl.com>; Thu, 5 Sep 2019 08:19:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.299
X-Spam-Status: No, score=-4.299 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=infineon.com
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id oD3JNBHIgkIY for <pkix@ietfa.amsl.com>; Thu, 5 Sep 2019 08:19:28 -0700 (PDT)
Received: from smtp2.infineon.com (smtp2.infineon.com [IPv6:2a00:18f0:1e00:4::4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 396A8120046 for <pkix@ietf.org>; Thu, 5 Sep 2019 08:19:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=infineon.com; i=@infineon.com; q=dns/txt; s=IFXMAIL; t=1567696768; x=1599232768; h=from:to:cc:subject:date:message-id:mime-version; bh=wLaBZgxcMPuopkpf+tuSOsy58+1m7pLfwo4RtqYNNdM=; b=QajgCAgq6NPzsX0M346XuYJMHcNxowKROAtl9zfhITSkAhlhk2W2Rtqn P6mBR6MInzWVzBLiau4vsF5HGiGPOqhkGo6htL4c3PFlJx7grm9rl1rQs 4xx6WuVHxrWbDcuZoEKj+tKpIhVWn7lvYg0PGLvPKnI3WCHi+G7YQTkD+ w=;
IronPort-SDR: kh+ktmcR75usQr/Msn9UMzWN3sRCZwqCZ03dU/rvMGFayQ1hKjIBvndOYlkVDUvUcE7s1qSiag VXnT0upAlH7A==
X-SBRS: None
X-IronPort-AV: E=McAfee;i="6000,8403,9370"; a="11855122"
X-IronPort-AV: E=Sophos; i="5.64,470,1559512800"; d="scan'208,217"; a="11855122"
Received: from unknown (HELO mucxv002.muc.infineon.com) ([]) by smtp2.infineon.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 05 Sep 2019 17:19:25 +0200
Received: from MUCSE708.infineon.com (MUCSE708.infineon.com []) by mucxv002.muc.infineon.com (Postfix) with ESMTPS; Thu, 5 Sep 2019 17:19:25 +0200 (CEST)
Received: from MUCSE701.infineon.com ( by MUCSE708.infineon.com ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.1.1713.5; Thu, 5 Sep 2019 17:19:25 +0200
Received: from MUCSE707.infineon.com ( by MUCSE701.infineon.com ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.1.1713.5; Thu, 5 Sep 2019 17:19:25 +0200
Received: from MUCSE707.infineon.com ([fe80::e599:a749:53f5:64a1]) by MUCSE707.infineon.com ([fe80::e599:a749:53f5:64a1%17]) with mapi id 15.01.1713.008; Thu, 5 Sep 2019 17:19:24 +0200
From: <Steve.Hanna@infineon.com>
To: <pkix@ietf.org>
CC: <kgoldman@us.ibm.com>
Thread-Topic: Certificate Encoding Questions
Thread-Index: AdVj/No4WD0mhQIeRjm/+bbI1YgSBA==
Date: Thu, 5 Sep 2019 15:19:24 +0000
Message-ID: <5eec7483c95247cb8968752588ff09f2@infineon.com>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: multipart/alternative; boundary="_000_5eec7483c95247cb8968752588ff09f2infineoncom_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/pkix/LPODLG2gF_XBzmif6xIavLjpkY4>
Subject: [pkix] Certificate Encoding Questions
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Sep 2019 15:19:30 -0000

I have a few simple questions about ASN.1 encoding for X.509 certificates. Can you help?

1)      The KeyUsage extension includes a BIT STRING. Is this encoded so that the most significant bit in the DER encoded value is bit 0 (digitalSignature)? After looking at a few certificates, that seems to be true but I want to verify.

2)      RFC 5754 says that when the algorithm OID in an AlgorithmIdentifier structure is sha256WithRSAEncryption, the parameters MUST be NULL. Would that NULL value encode to an additional 05 00 at the end of the SEQUENCE? Again, I observe this to be true but I want to verify it.

Please keep Ken Goldman on the cc list for responses, if possible.