Re: [pkix] Certificate Encoding Questions

Ryan Sleevi <ryan-ietf@sleevi.com> Thu, 05 September 2019 16:10 UTC

Return-Path: <ryan.sleevi@gmail.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 34C1A12096F for <pkix@ietfa.amsl.com>; Thu, 5 Sep 2019 09:10:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.4
X-Spam-Level:
X-Spam-Status: No, score=-1.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.249, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ns-4f92McuTq for <pkix@ietfa.amsl.com>; Thu, 5 Sep 2019 09:09:59 -0700 (PDT)
Received: from mail-ed1-f47.google.com (mail-ed1-f47.google.com [209.85.208.47]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A623012097C for <pkix@ietf.org>; Thu, 5 Sep 2019 09:09:58 -0700 (PDT)
Received: by mail-ed1-f47.google.com with SMTP id p2so2054793edx.11 for <pkix@ietf.org>; Thu, 05 Sep 2019 09:09:58 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=6s87+fcewJdyna6F7HmjjmZCqaplwpv8txG+eSbFFkg=; b=COsmKF+DmZ37Egef/9AlXl8w9bc2VbqOI9o3dKhhj9rtjTtm0K2MAfvGvB/h+yWMaE PcwjDkFe2UJo1lA3fPP2xbIWf46uImSrXU9TSK8zwBhpj7AtrUuQgBW2p35HhISynmWE gkqdY2wlncMJjatz0PuwtkVkOBdaj5Sl9MwywV6CXTk8ULoRB4QOWtB75tK2MaGzCc69 EIZcK01uqysAAR/4ZTMl+Oy0uhMt8YB4zUjb3xanS/0fh+yRuZZVr7KNlR9IUmVQfSOY lOfPu7EOesL0ei05DYOaOLNEt/dV4XwSc1xUo2BPAv/LRjGFP7zBc+Jkn9zsEfa7cOss Yr/w==
X-Gm-Message-State: APjAAAU5Q91Z6yAK5i4O6jNQalrCRptxu11suLHHzNrB11jrMJ5Cjh9/ LfPkvjroRJ0y4gZ26mvfj7KRdeZU
X-Google-Smtp-Source: APXvYqw8O6al5TJQaic+TSqzcanqVM69NiezrtONrtFh68jXh2civr525O+Rx1BpOTGe7txCDqxG2g==
X-Received: by 2002:a17:906:b211:: with SMTP id p17mr3463518ejz.11.1567699796747; Thu, 05 Sep 2019 09:09:56 -0700 (PDT)
Received: from mail-wm1-f45.google.com (mail-wm1-f45.google.com. [209.85.128.45]) by smtp.gmail.com with ESMTPSA id j2sm279979ejj.34.2019.09.05.09.09.55 for <pkix@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 05 Sep 2019 09:09:56 -0700 (PDT)
Received: by mail-wm1-f45.google.com with SMTP id r195so3775504wme.2 for <pkix@ietf.org>; Thu, 05 Sep 2019 09:09:55 -0700 (PDT)
X-Received: by 2002:a1c:a8cb:: with SMTP id r194mr3574868wme.156.1567699795703; Thu, 05 Sep 2019 09:09:55 -0700 (PDT)
MIME-Version: 1.0
References: <5eec7483c95247cb8968752588ff09f2@infineon.com>
In-Reply-To: <5eec7483c95247cb8968752588ff09f2@infineon.com>
From: Ryan Sleevi <ryan-ietf@sleevi.com>
Date: Thu, 5 Sep 2019 12:09:44 -0400
X-Gmail-Original-Message-ID: <CAErg=HE2YOc5jFK0km7eoTHMkykxzFTXBY0swkdbQD8JJ-5JKQ@mail.gmail.com>
Message-ID: <CAErg=HE2YOc5jFK0km7eoTHMkykxzFTXBY0swkdbQD8JJ-5JKQ@mail.gmail.com>
To: Steve.Hanna@infineon.com
Cc: IETF PKIX <pkix@ietf.org>, kgoldman@us.ibm.com
Content-Type: multipart/alternative; boundary="0000000000007001c60591d08dcb"
Archived-At: <https://mailarchive.ietf.org/arch/msg/pkix/z05BJW9EMhhsUkk2hlxJUMoSiWE>
Subject: Re: [pkix] Certificate Encoding Questions
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Sep 2019 16:10:00 -0000

On Thu, Sep 5, 2019 at 11:19 AM <Steve.Hanna@infineon.com>; wrote:

> I have a few simple questions about ASN.1 encoding for X.509 certificates.
> Can you help?
>
>
>
> 1)      The KeyUsage extension includes a BIT STRING. Is this encoded so
> that the most significant bit in the DER encoded value is bit 0
> (digitalSignature)? After looking at a few certificates, that seems to be
> true but I want to verify.
>

X.690 addresses this, as that describes how DER encoding (and BER encoding)
work on the wire.

In X.690 (08/15), the relevant clause will be 8.6.2.1 (for the general BER
encoding) and 11.2 for the further DER modifications.


> 2)      RFC 5754 says that when the algorithm OID in an
> AlgorithmIdentifier structure is sha256WithRSAEncryption, the parameters
> MUST be NULL. Would that NULL value encode to an additional 05 00 at the
> end of the SEQUENCE? Again, I observe this to be true but I want to verify
> it.
>
Yes. Omission would have been specified by "MUST be absent.".

This is perhaps more obvious in RFC 5912, which provides an explicit ASN.1
module that captures these encoding requirements (specifically, see Section
8, ASN.1 Module for RFC 4055)