Both a regular dump and an ASN.1 dump. You will see: Signature Algorithm: ecdsa-with-SHA512
at bytes 35 and 1021 in the issuing cert and 35 and 718 in the client cert. 10 bytes in each case, so only having it once saves 10 bytes, and I will take that to the bank.
Please run this cert through your converter code and make sure it works, as this is a working cert used in SWIM testing. Lots I disapprove of in this cert, and I have sent my critique of it back in August. Still a struggle with conflicting directions on ICAO certs content. Problems (IMO) in the CP.
On 3/19/24 03:37, Orie Steele wrote:
From Mike O.:I asked Russ about the history of the duplicate signatureAlgorithm in X.509. The answer is that in like 1984 -- before PKCS#1 was invented, before hash-then-sign was invented -- there was concern that some future algorithms might sign by encrypting the TBSCertificate, and so you would need to know the signatureAlgorithm in order to decrypt the TBSCertificate. So the unprotected copy was put there literally as a hint for how to parse the signature value in cases where the contents of the TBSCertificate.signatureAlg is opaque.So, yeah, it's 100% an artifact of evolution. Please get rid of it in C509.-- ORIE STEELEChief Technology Officerwww.transmute.industries <https://transmute.industries> _______________________________________________ COSE mailing list [email protected] https://www.ietf.org/mailman/listinfo/cose
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
59:dd:22:a8:f7:49:8c:d6:88:50:52:f3:2b:a5:37:f7:ce:84:57:ad
Signature Algorithm: ecdsa-with-SHA512
Issuer: C = US, O = FAA, OU = 0124.ANGUTMPKI, CN = FAA Testp Root CA
Validity
Not Before: Jun 27 16:11:26 2021 GMT
Not After : Jun 20 15:18:55 2051 GMT
Subject: C = US, O = FAA, OU = 0124.ANGUTMPKI, CN = FAA Testp NPE
Issuing CA
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:5d:4b:27:fe:b3:fb:90:83:45:ce:44:77:cd:e1:
20:f3:5b:d9:ee:0e:48:c1:53:9e:e4:a9:20:e3:43:
20:bb:6b:77:56:4c:5b:e8:4e:d6:df:3f:3e:ad:2e:
cf:2f:08:4c:96:ea:fe:d7:81:41:69:be:a1:35:6f:
13:6a:05:6b:9b
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Authority Key Identifier:
E4:43:77:F1:B4:1A:31:26:8A:35:63:3C:BF:EB:30:86:A4:41:63:FB
Authority Information Access:
CA Issuers -
URI:http://test1carepository.faa.gov/testca/faa-testp-root-ca.p7c
OCSP - URI:http://test1carepository.faa.gov/ocsp
X509v3 Certificate Policies:
Policy: 1.3.27.16.1.2.0.1.1
User Notice:
Explicit Text:
Policy: 1.3.27.16.1.2.0.1.2
Policy: 1.3.27.16.1.2.0.1.3
Policy: 1.3.27.16.1.2.0.1.4
Policy: 1.3.27.16.1.2.0.1.5
Policy: 1.3.27.16.1.2.0.1.6
Policy: 1.3.27.16.1.2.0.1.7
Policy: 1.3.27.16.1.2.0.1.8
Policy: 1.3.27.16.1.2.0.1.9
Policy: 1.3.27.16.1.2.0.1.10
Policy: 1.3.27.16.1.2.0.1.11
X509v3 CRL Distribution Points:
Full Name:
URI:http://test1carepository.faa.gov/testcrl/faa-testp-root-ca.crl
X509v3 Subject Key Identifier:
D9:B4:E3:81:E1:E0:EC:11:AB:75:55:B8:91:91:C5:43:4F:9C:37:08
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
Signature Algorithm: ecdsa-with-SHA512
Signature Value:
30:81:88:02:42:01:0e:7d:ae:fd:84:36:51:e8:8f:6d:9d:a0:
ca:ef:75:64:48:81:85:63:0c:3e:b1:d0:53:01:eb:95:30:b4:
46:1a:da:e3:05:68:78:1a:f5:11:dc:96:5f:be:fb:bc:eb:20:
06:06:6d:04:aa:37:86:44:cd:2b:4b:56:1a:80:37:f0:99:02:
42:01:05:d7:6c:fa:98:1e:bc:cc:ed:c1:10:11:00:d3:5c:29:
21:82:04:75:11:38:32:86:8e:e1:73:98:86:f6:57:b7:67:6b:
72:92:cc:e0:d5:8d:d6:44:ef:33:5e:01:1a:59:6c:8d:09:8e:
a8:2d:72:3a:30:88:43:93:e1:52:e3:78:50
$ openssl asn1parse -i -in FAATestpNPEIssuingCA.pem
0:d=0 hl=4 l=1172 cons: SEQUENCE
4:d=1 hl=4 l=1013 cons: SEQUENCE
8:d=2 hl=2 l= 3 cons: cont [ 0 ]
10:d=3 hl=2 l= 1 prim: INTEGER :02
13:d=2 hl=2 l= 20 prim: INTEGER
:59DD22A8F7498CD6885052F32BA537F7CE8457AD
35:d=2 hl=2 l= 10 cons: SEQUENCE
37:d=3 hl=2 l= 8 prim: OBJECT :ecdsa-with-SHA512
47:d=2 hl=2 l= 80 cons: SEQUENCE
49:d=3 hl=2 l= 11 cons: SET
51:d=4 hl=2 l= 9 cons: SEQUENCE
53:d=5 hl=2 l= 3 prim: OBJECT :countryName
58:d=5 hl=2 l= 2 prim: PRINTABLESTRING :US
62:d=3 hl=2 l= 12 cons: SET
64:d=4 hl=2 l= 10 cons: SEQUENCE
66:d=5 hl=2 l= 3 prim: OBJECT :organizationName
71:d=5 hl=2 l= 3 prim: UTF8STRING :FAA
76:d=3 hl=2 l= 23 cons: SET
78:d=4 hl=2 l= 21 cons: SEQUENCE
80:d=5 hl=2 l= 3 prim: OBJECT :organizationalUnitName
85:d=5 hl=2 l= 14 prim: UTF8STRING :0124.ANGUTMPKI
101:d=3 hl=2 l= 26 cons: SET
103:d=4 hl=2 l= 24 cons: SEQUENCE
105:d=5 hl=2 l= 3 prim: OBJECT :commonName
110:d=5 hl=2 l= 17 prim: UTF8STRING :FAA Testp Root CA
129:d=2 hl=2 l= 32 cons: SEQUENCE
131:d=3 hl=2 l= 13 prim: UTCTIME :210627161126Z
146:d=3 hl=2 l= 15 prim: GENERALIZEDTIME :20510620151855Z
163:d=2 hl=2 l= 87 cons: SEQUENCE
165:d=3 hl=2 l= 11 cons: SET
167:d=4 hl=2 l= 9 cons: SEQUENCE
169:d=5 hl=2 l= 3 prim: OBJECT :countryName
174:d=5 hl=2 l= 2 prim: PRINTABLESTRING :US
178:d=3 hl=2 l= 12 cons: SET
180:d=4 hl=2 l= 10 cons: SEQUENCE
182:d=5 hl=2 l= 3 prim: OBJECT :organizationName
187:d=5 hl=2 l= 3 prim: UTF8STRING :FAA
192:d=3 hl=2 l= 23 cons: SET
194:d=4 hl=2 l= 21 cons: SEQUENCE
196:d=5 hl=2 l= 3 prim: OBJECT :organizationalUnitName
201:d=5 hl=2 l= 14 prim: UTF8STRING :0124.ANGUTMPKI
217:d=3 hl=2 l= 33 cons: SET
219:d=4 hl=2 l= 31 cons: SEQUENCE
221:d=5 hl=2 l= 3 prim: OBJECT :commonName
226:d=5 hl=2 l= 24 prim: UTF8STRING :FAA Testp NPE Issuing CA
252:d=2 hl=2 l= 89 cons: SEQUENCE
254:d=3 hl=2 l= 19 cons: SEQUENCE
256:d=4 hl=2 l= 7 prim: OBJECT :id-ecPublicKey
265:d=4 hl=2 l= 8 prim: OBJECT :prime256v1
275:d=3 hl=2 l= 66 prim: BIT STRING
343:d=2 hl=4 l= 674 cons: cont [ 3 ]
347:d=3 hl=4 l= 670 cons: SEQUENCE
351:d=4 hl=2 l= 15 cons: SEQUENCE
353:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Basic Constraints
358:d=5 hl=2 l= 1 prim: BOOLEAN :255
361:d=5 hl=2 l= 5 prim: OCTET STRING [HEX DUMP]:30030101FF
368:d=4 hl=2 l= 31 cons: SEQUENCE
370:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Authority Key
Identifier
375:d=5 hl=2 l= 24 prim: OCTET STRING [HEX
DUMP]:30168014E44377F1B41A31268A35633CBFEB3086A44163FB
401:d=4 hl=3 l= 141 cons: SEQUENCE
404:d=5 hl=2 l= 8 prim: OBJECT :Authority Information
Access
414:d=5 hl=3 l= 128 prim: OCTET STRING [HEX
DUMP]:307E304906082B06010505073002863D687474703A2F2F746573743163617265706F7369746F72792E6661612E676F762F7465737463612F6661612D74657374702D726F6F742D63612E703763303106082B060105050730018625687474703A2F2F746573743163617265706F7369746F72792E6661612E676F762F6F637370
545:d=4 hl=4 l= 344 cons: SEQUENCE
549:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Certificate Policies
554:d=5 hl=4 l= 335 prim: OCTET STRING [HEX
DUMP]:3082014B3081D006082B1B1001020001013081C33081C006082B060105050702023081B31E81B000540068006900730020006900730020006100200074006500730074002000430041002000630065007200740069006600690063006100740065002C002000670065006E00650072006100740065006400200066006F0072002000740065007300740069006E006700200070007500720070006F007300650020006F006E006C0079002E0020004E006F0020006C0069006100620069006C006900740069006500730020006100700070006C0079002E300A06082B1B100102000102300A06082B1B100102000103300A06082B1B100102000104300A06082B1B100102000105300A06082B1B100102000106300A06082B1B100102000107300A06082B1B100102000108300A06082B1B100102000109300A06082B1B10010200010A300A06082B1B10010200010B
893:d=4 hl=2 l= 79 cons: SEQUENCE
895:d=5 hl=2 l= 3 prim: OBJECT :X509v3 CRL Distribution
Points
900:d=5 hl=2 l= 72 prim: OCTET STRING [HEX
DUMP]:30463044A042A040863E687474703A2F2F746573743163617265706F7369746F72792E6661612E676F762F7465737463726C2F6661612D74657374702D726F6F742D63612E63726C
974:d=4 hl=2 l= 29 cons: SEQUENCE
976:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Subject Key
Identifier
981:d=5 hl=2 l= 22 prim: OCTET STRING [HEX
DUMP]:0414D9B4E381E1E0EC11AB7555B89191C5434F9C3708
1005:d=4 hl=2 l= 14 cons: SEQUENCE
1007:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Key Usage
1012:d=5 hl=2 l= 1 prim: BOOLEAN :255
1015:d=5 hl=2 l= 4 prim: OCTET STRING [HEX DUMP]:03020106
1021:d=1 hl=2 l= 10 cons: SEQUENCE
1023:d=2 hl=2 l= 8 prim: OBJECT :ecdsa-with-SHA512
1033:d=1 hl=3 l= 140 prim: BIT STRING
[rgm@lx140e ca-faa]$ openssl x509 -inform pem -in
test.210627.1.swimsiging.cer.pem -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
1e:d7:5c:a0:fa:de:19:f9:8b:00:3b:86:91:b8:fb:fd:ca:00:20:88
Signature Algorithm: ecdsa-with-SHA256
Issuer: C = US, O = FAA, OU = 0124.ANGUTMPKI, CN = FAA Testp NPE
Issuing CA
Validity
Not Before: Jun 27 17:34:13 2021 GMT
Not After : Jun 27 17:34:12 2023 GMT
Subject: C = US, O = FAA, OU = 0124.ANGUTMPKI, CN =
test.210627.1swimsiging
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:9c:6f:dc:2f:32:c4:76:81:5e:f8:fa:0c:60:a2:
fc:06:e1:46:c9:65:fc:18:c8:aa:80:04:97:3e:d0:
9e:1f:2a:9e:a3:50:83:a6:fd:b4:d3:36:81:21:69:
08:f7:8d:ea:b5:44:14:02:71:19:d3:a8:88:55:12:
46:81:2d:12:38
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Authority Key Identifier:
D9:B4:E3:81:E1:E0:EC:11:AB:75:55:B8:91:91:C5:43:4F:9C:37:08
Authority Information Access:
CA Issuers -
URI:http://test1carepository.faa.gov/testca/faa-testp-npe-issuing-ca.p7c
OCSP - URI:http://test1carepository.faa.gov/ocsp
X509v3 Certificate Policies:
Policy: 1.3.27.16.1.2.0.1.8
X509v3 Extended Key Usage:
1.3.27.16.1.4.1.1
X509v3 CRL Distribution Points:
Full Name:
URI:http://test1carepository.faa.gov/testcrl/faa-testp-npe-issuing-ca.crl
X509v3 Subject Key Identifier:
23:83:FD:0B:11:7D:FF:48:7E:6F:37:71:42:7D:0A:DE:C8:C9:E8:F8
X509v3 Key Usage: critical
Digital Signature, Non Repudiation
Signature Algorithm: ecdsa-with-SHA256
Signature Value:
30:45:02:20:49:85:7d:18:56:46:f0:2d:3f:f9:ab:b3:4a:be:
da:4a:89:6e:3e:ad:9a:21:88:ed:90:6c:49:1a:98:0e:3a:c1:
02:21:00:d6:71:cf:5d:b2:38:20:f4:9b:1b:62:91:8b:f4:31:
36:71:7c:d6:78:ce:cb:39:88:77:5b:bb:90:0a:0c:ce:cc
$ openssl asn1parse -i -in test.210627.1.swimsiging.cer.pem
0:d=0 hl=4 l= 800 cons: SEQUENCE
4:d=1 hl=4 l= 710 cons: SEQUENCE
8:d=2 hl=2 l= 3 cons: cont [ 0 ]
10:d=3 hl=2 l= 1 prim: INTEGER :02
13:d=2 hl=2 l= 20 prim: INTEGER
:1ED75CA0FADE19F98B003B8691B8FBFDCA002088
35:d=2 hl=2 l= 10 cons: SEQUENCE
37:d=3 hl=2 l= 8 prim: OBJECT :ecdsa-with-SHA256
47:d=2 hl=2 l= 87 cons: SEQUENCE
49:d=3 hl=2 l= 11 cons: SET
51:d=4 hl=2 l= 9 cons: SEQUENCE
53:d=5 hl=2 l= 3 prim: OBJECT :countryName
58:d=5 hl=2 l= 2 prim: PRINTABLESTRING :US
62:d=3 hl=2 l= 12 cons: SET
64:d=4 hl=2 l= 10 cons: SEQUENCE
66:d=5 hl=2 l= 3 prim: OBJECT :organizationName
71:d=5 hl=2 l= 3 prim: UTF8STRING :FAA
76:d=3 hl=2 l= 23 cons: SET
78:d=4 hl=2 l= 21 cons: SEQUENCE
80:d=5 hl=2 l= 3 prim: OBJECT :organizationalUnitName
85:d=5 hl=2 l= 14 prim: UTF8STRING :0124.ANGUTMPKI
101:d=3 hl=2 l= 33 cons: SET
103:d=4 hl=2 l= 31 cons: SEQUENCE
105:d=5 hl=2 l= 3 prim: OBJECT :commonName
110:d=5 hl=2 l= 24 prim: UTF8STRING :FAA Testp NPE Issuing CA
136:d=2 hl=2 l= 30 cons: SEQUENCE
138:d=3 hl=2 l= 13 prim: UTCTIME :210627173413Z
153:d=3 hl=2 l= 13 prim: UTCTIME :230627173412Z
168:d=2 hl=2 l= 86 cons: SEQUENCE
170:d=3 hl=2 l= 11 cons: SET
172:d=4 hl=2 l= 9 cons: SEQUENCE
174:d=5 hl=2 l= 3 prim: OBJECT :countryName
179:d=5 hl=2 l= 2 prim: PRINTABLESTRING :US
183:d=3 hl=2 l= 12 cons: SET
185:d=4 hl=2 l= 10 cons: SEQUENCE
187:d=5 hl=2 l= 3 prim: OBJECT :organizationName
192:d=5 hl=2 l= 3 prim: UTF8STRING :FAA
197:d=3 hl=2 l= 23 cons: SET
199:d=4 hl=2 l= 21 cons: SEQUENCE
201:d=5 hl=2 l= 3 prim: OBJECT :organizationalUnitName
206:d=5 hl=2 l= 14 prim: UTF8STRING :0124.ANGUTMPKI
222:d=3 hl=2 l= 32 cons: SET
224:d=4 hl=2 l= 30 cons: SEQUENCE
226:d=5 hl=2 l= 3 prim: OBJECT :commonName
231:d=5 hl=2 l= 23 prim: UTF8STRING :test.210627.1swimsiging
256:d=2 hl=2 l= 89 cons: SEQUENCE
258:d=3 hl=2 l= 19 cons: SEQUENCE
260:d=4 hl=2 l= 7 prim: OBJECT :id-ecPublicKey
269:d=4 hl=2 l= 8 prim: OBJECT :prime256v1
279:d=3 hl=2 l= 66 prim: BIT STRING
347:d=2 hl=4 l= 367 cons: cont [ 3 ]
351:d=3 hl=4 l= 363 cons: SEQUENCE
355:d=4 hl=2 l= 31 cons: SEQUENCE
357:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Authority Key
Identifier
362:d=5 hl=2 l= 24 prim: OCTET STRING [HEX
DUMP]:30168014D9B4E381E1E0EC11AB7555B89191C5434F9C3708
388:d=4 hl=3 l= 149 cons: SEQUENCE
391:d=5 hl=2 l= 8 prim: OBJECT :Authority Information
Access
401:d=5 hl=3 l= 136 prim: OCTET STRING [HEX
DUMP]:308185305006082B060105050730028644687474703A2F2F746573743163617265706F7369746F72792E6661612E676F762F7465737463612F6661612D74657374702D6E70652D69737375696E672D63612E703763303106082B060105050730018625687474703A2F2F746573743163617265706F7369746F72792E6661612E676F762F6F637370
540:d=4 hl=2 l= 21 cons: SEQUENCE
542:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Certificate Policies
547:d=5 hl=2 l= 14 prim: OCTET STRING [HEX
DUMP]:300C300A06082B1B100102000108
563:d=4 hl=2 l= 18 cons: SEQUENCE
565:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Extended Key Usage
570:d=5 hl=2 l= 11 prim: OCTET STRING [HEX
DUMP]:300906072B1B1001040101
583:d=4 hl=2 l= 86 cons: SEQUENCE
585:d=5 hl=2 l= 3 prim: OBJECT :X509v3 CRL Distribution
Points
590:d=5 hl=2 l= 79 prim: OCTET STRING [HEX
DUMP]:304D304BA049A0478645687474703A2F2F746573743163617265706F7369746F72792E6661612E676F762F7465737463726C2F6661612D74657374702D6E70652D69737375696E672D63612E63726C
671:d=4 hl=2 l= 29 cons: SEQUENCE
673:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Subject Key
Identifier
678:d=5 hl=2 l= 22 prim: OCTET STRING [HEX
DUMP]:04142383FD0B117DFF487E6F3771427D0ADEC8C9E8F8
702:d=4 hl=2 l= 14 cons: SEQUENCE
704:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Key Usage
709:d=5 hl=2 l= 1 prim: BOOLEAN :255
712:d=5 hl=2 l= 4 prim: OCTET STRING [HEX DUMP]:030206C0
718:d=1 hl=2 l= 10 cons: SEQUENCE
720:d=2 hl=2 l= 8 prim: OBJECT :ecdsa-with-SHA256
730:d=1 hl=2 l= 72 prim: BIT STRING
$ openssl asn1parse -i -strparse 401 -in test.210627.1.swimsiging.cer.pem
0:d=0 hl=3 l= 133 cons: SEQUENCE
3:d=1 hl=2 l= 80 cons: SEQUENCE
5:d=2 hl=2 l= 8 prim: OBJECT :CA Issuers
15:d=2 hl=2 l= 68 prim: cont [ 6 ]
85:d=1 hl=2 l= 49 cons: SEQUENCE
87:d=2 hl=2 l= 8 prim: OBJECT :OCSP
97:d=2 hl=2 l= 37 prim: cont [ 6 ]
0011.0100.1000.1100.0000.0111.1100
3.4.8.c.0.7.c
FAATestpNPEIssuingCA.pem
Description: application/x509-ca-cert
test.210627.1.swimsiging.cer.pem
Description: application/x509-ca-cert
_______________________________________________ COSE mailing list [email protected] https://www.ietf.org/mailman/listinfo/cose
