why publickey sequence use DLSequence in CMP cr-CertTemplate entity ?

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

why publickey sequence use DLSequence in CMP cr-CertTemplate entity ?

Gsealy
Hi team,

I know CMP use DER encode and post by "application/pkixcmp" Content-Type.

I use BC CertificateRequestMessageBuilder class to create a cr(CertReqMessages) request, I found PublicKey entity is package by a DLSequence object

(use sm2), not Vector or DERSEquence (see attachment base64 text in "ECsm2req.txt")



But my simple request text was use DERSequence(use RSA) (see attachment base64 text in "RSAreq.txt")



use DLSequence is right? and what's different with others encode type(BER/DER)?

Thanks,
Gsealy

ECsm2req.txt (1K) Download Attachment
RSAreq.txt (2K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: why publickey sequence use DLSequence in CMP cr-CertTemplate entity ?

Matti Aarnio
Hi Gsealy,

That depends on the SubjectPublicKeyInfo object you give to the CertificateRequestMessageBuilder.setPublicKey(spki) method.
How did you create it?

BR, Matti


On 5/22/19 3:44 PM, J Gsealy wrote:
Hi team,

I know CMP use DER encode and post by "application/pkixcmp" Content-Type.

I use BC CertificateRequestMessageBuilder class to create a cr(CertReqMessages) request, I found PublicKey entity is package by a DLSequence object

(use sm2), not Vector or DERSEquence (see attachment base64 text in "ECsm2req.txt")



But my simple request text was use DERSequence(use RSA) (see attachment base64 text in "RSAreq.txt")



use DLSequence is right? and what's different with others encode type(BER/DER)?

Thanks,
Gsealy


Reply | Threaded
Open this post in threaded view
|

Re: Re: why publickey sequence use DLSequence in CMP cr-CertTemplate entity ?

Gsealy
Hi Matti,

I was build a EC Keypair use "sm2p256v1" curve. And use bellow method to convert it
ECGenParameterSpec ecGenParameterSpec = new ECGenParameterSpec("sm2p256v1");
KeyPairGenerator kp = helper.createKeyPairGenerator(
"EC");
kp.initialize(ecGenParameterSpec);
return kp.generateKeyPair();
CertificateRequestMessageBuilder msgBuilder = new CertificateRequestMessageBuilder(this.certReqId);
// add PublicKey
final SubjectPublicKeyInfo keyInfo = SubjectPublicKeyInfo.getInstance(this.publicKey.getEncoded());
msgBuilder.setPublicKey(keyInfo);
Is publickey not encode to DER?

Thanks,
Gsealy
 
Date: 2019-05-23 01:17
Subject: Re: why publickey sequence use DLSequence in CMP cr-CertTemplate entity ?
Hi Gsealy,

That depends on the SubjectPublicKeyInfo object you give to the CertificateRequestMessageBuilder.setPublicKey(spki) method.
How did you create it?

BR, Matti


On 5/22/19 3:44 PM, J Gsealy wrote:
Hi team,

I know CMP use DER encode and post by "application/pkixcmp" Content-Type.

I use BC CertificateRequestMessageBuilder class to create a cr(CertReqMessages) request, I found PublicKey entity is package by a DLSequence object

(use sm2), not Vector or DERSEquence (see attachment base64 text in "ECsm2req.txt")



But my simple request text was use DERSequence(use RSA) (see attachment base64 text in "RSAreq.txt")



use DLSequence is right? and what's different with others encode type(BER/DER)?

Thanks,
Gsealy





To start a new topic under Bouncy Castle - Dev, email ml+[hidden email]
To unsubscribe from Bouncy Castle - Dev, click here.
NAML
Reply | Threaded
Open this post in threaded view
|

Re: Re: why publickey sequence use DLSequence in CMP cr-CertTemplate entity ?

David Hook-3

A DLSequence and a DERSequence generally mean the same thing. Either can be used to produce a DER encoding as well. The difference is that on reading you can't explicitly tell if you're parsing DER data or definite-length data. The DLSequence is used to prevent things that have been parsed accidentally getting DER encoded when they shouldn't be.

Regards,

David

On 23/5/19 11:45 am, J Gsealy wrote:
Hi Matti,

I was build a EC Keypair use "sm2p256v1" curve. And use bellow method to convert it
ECGenParameterSpec ecGenParameterSpec = new ECGenParameterSpec("sm2p256v1");
KeyPairGenerator kp = helper.createKeyPairGenerator("EC");
kp.initialize(ecGenParameterSpec);
return kp.generateKeyPair();
CertificateRequestMessageBuilder msgBuilder = new CertificateRequestMessageBuilder(this.certReqId);
// add PublicKey
final SubjectPublicKeyInfo keyInfo = SubjectPublicKeyInfo.getInstance(this.publicKey.getEncoded());
msgBuilder.setPublicKey(keyInfo);
Is publickey not encode to DER?

Thanks,
Gsealy
 
Date: 2019-05-23 01:17
Subject: Re: why publickey sequence use DLSequence in CMP cr-CertTemplate entity ?
Hi Gsealy,

That depends on the SubjectPublicKeyInfo object you give to the CertificateRequestMessageBuilder.setPublicKey(spki) method.
How did you create it?

BR, Matti


On 5/22/19 3:44 PM, J Gsealy wrote:
Hi team,

I know CMP use DER encode and post by "application/pkixcmp" Content-Type.

I use BC CertificateRequestMessageBuilder class to create a cr(CertReqMessages) request, I found PublicKey entity is package by a DLSequence object

(use sm2), not Vector or DERSEquence (see attachment base64 text in "ECsm2req.txt")



But my simple request text was use DERSequence(use RSA) (see attachment base64 text in "RSAreq.txt")



use DLSequence is right? and what's different with others encode type(BER/DER)?

Thanks,
Gsealy





To start a new topic under Bouncy Castle - Dev, email [hidden email]
To unsubscribe from Bouncy Castle - Dev, click here.
NAML


Reply | Threaded
Open this post in threaded view
|

Re: Re: [dev-crypto] Re: Re: why publickey sequence use DLSequence in CMP cr-CertTemplate entity ?

Gsealy
Hi team,

Now I know different between either sequence, but I found another thing.
When I build CertTemplate entity use CertTemplateBuilder Class, I found outside SubjectPublickeyInfo there none sequence to wrap it.

 

Maybe this not specification, should add a sequence outside SubjectPublickeyInfo? if right , How to add it ?

thanks,
Gsealy

Date: 2019-05-23 13:46
Subject: Re: [dev-crypto] Re: Re: why publickey sequence use DLSequence in CMP cr-CertTemplate entity ?

A DLSequence and a DERSequence generally mean the same thing. Either can be used to produce a DER encoding as well. The difference is that on reading you can't explicitly tell if you're parsing DER data or definite-length data. The DLSequence is used to prevent things that have been parsed accidentally getting DER encoded when they shouldn't be.

Regards,

David

On 23/5/19 11:45 am, J Gsealy wrote:
Hi Matti,

I was build a EC Keypair use "sm2p256v1" curve. And use bellow method to convert it
ECGenParameterSpec ecGenParameterSpec = new ECGenParameterSpec("sm2p256v1");
KeyPairGenerator kp = helper.createKeyPairGenerator("EC");
kp.initialize(ecGenParameterSpec);
return kp.generateKeyPair();
CertificateRequestMessageBuilder msgBuilder = new CertificateRequestMessageBuilder(this.certReqId);
// add PublicKey
final SubjectPublicKeyInfo keyInfo = SubjectPublicKeyInfo.getInstance(this.publicKey.getEncoded());
msgBuilder.setPublicKey(keyInfo);
Is publickey not encode to DER?

Thanks,
Gsealy
 
Date: 2019-05-23 01:17
Subject: Re: why publickey sequence use DLSequence in CMP cr-CertTemplate entity ?
Hi Gsealy,

That depends on the SubjectPublicKeyInfo object you give to the CertificateRequestMessageBuilder.setPublicKey(spki) method.
How did you create it?

BR, Matti


On 5/22/19 3:44 PM, J Gsealy wrote:
Hi team,

I know CMP use DER encode and post by "application/pkixcmp" Content-Type.

I use BC CertificateRequestMessageBuilder class to create a cr(CertReqMessages) request, I found PublicKey entity is package by a DLSequence object

(use sm2), not Vector or DERSEquence (see attachment base64 text in "ECsm2req.txt")



But my simple request text was use DERSequence(use RSA) (see attachment base64 text in "RSAreq.txt")



use DLSequence is right? and what's different with others encode type(BER/DER)?

Thanks,
Gsealy





To start a new topic under Bouncy Castle - Dev, email [hidden email]
To unsubscribe from Bouncy Castle - Dev, click here.
NAML



cmp_base64.txt (1K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Re: why publickey sequence use DLSequence in CMP cr-CertTemplate entity ?

Matti Aarnio
Hi David,

The code below shows this bad request generation formatting.
The same badness happens for RSA key too.
( KeyPairgenerator.getInstance("RSA","BC"); kpg.initialize(1024); )

Therefore the problem is probably in the CertTemplateBuilder.build() method.
Or more precisely the addOptional() method inside it:
    DERTaggedObject dto = new DERTaggedObject(false, 6, keyInfo);

Why does that encode the tagged thing incorrectly?

BR, Matti Aarnio


import java.math.BigInteger;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.PublicKey;
import java.security.Security;
import java.security.spec.ECGenParameterSpec;

import org.bouncycastle.asn1.DERTaggedObject;
import org.bouncycastle.asn1.crmf.CertTemplate;
import org.bouncycastle.asn1.crmf.CertTemplateBuilder;
import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
import org.bouncycastle.cert.crmf.CertificateRequestMessage;
import org.bouncycastle.cert.crmf.CertificateRequestMessageBuilder;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.util.encoders.Hex;

public class TestSM2Keygen {

    public static void main(String[]args) {
        try {
            Security.addProvider(new BouncyCastleProvider());
           
            final ECGenParameterSpec ecGenSpec = new ECGenParameterSpec("sm2p256v1");
            final KeyPairGenerator kpg = KeyPairGenerator.getInstance("EC","BC");
            kpg.initialize(ecGenSpec);
            final KeyPair kp = kpg.generateKeyPair();
            final PublicKey pubKey = kp.getPublic();
            final byte[] pubKeyDer = pubKey.getEncoded();
            final SubjectPublicKeyInfo keyInfo = SubjectPublicKeyInfo.getInstance(pubKeyDer);
            final byte[] spkiDer = keyInfo.getEncoded();
           
            System.out.println("pubkey = "+Hex.toHexString(pubKeyDer));
            System.out.println("spki = "+Hex.toHexString(spkiDer));

            final CertificateRequestMessageBuilder msgBuilder = new CertificateRequestMessageBuilder(BigInteger.ONE);
            msgBuilder.setPublicKey(keyInfo);

            CertificateRequestMessage crm = msgBuilder.build();
            System.out.println("CRM = "+Hex.toHexString(crm.getEncoded()));
           
            final DERTaggedObject dto = new DERTaggedObject(false, 6, keyInfo);
            System.out.println("DTO = "+Hex.toHexString(dto.getEncoded()));
           
            final CertTemplateBuilder ctb = new CertTemplateBuilder();
            ctb.setPublicKey(keyInfo);
            final CertTemplate ct = ctb.build();
            System.out.println("CT = "+Hex.toHexString(ct.getEncoded()));
           
        }
        catch (Throwable e) {
            e.printStackTrace();
        }
    }
}
Reply | Threaded
Open this post in threaded view
|

Re: Re: [dev-crypto] Re: Re: why publickey sequence use DLSequence in CMP cr-CertTemplate entity ?

Gsealy
Hi Team, Matti,

Thanks for Matti reproduce it.
When I test msgBuilder.setSerialNumber(BigInteger.ONE);  It was encode to a OctetString, not a Integer.

(just add setSerialNumber()  to Matti 's code)

Thanks,
Gsealy
------------------------------------------------
import java.math.BigInteger;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.PublicKey;
import java.security.Security;
import java.security.spec.ECGenParameterSpec;

import org.bouncycastle.asn1.ASN1Integer;
import org.bouncycastle.asn1.DERTaggedObject;
import org.bouncycastle.asn1.crmf.CertTemplate;
import org.bouncycastle.asn1.crmf.CertTemplateBuilder;
import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
import org.bouncycastle.cert.crmf.CertificateRequestMessage;
import org.bouncycastle.cert.crmf.CertificateRequestMessageBuilder;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.util.encoders.Hex;

public class TestBCCertTemplate {

    public static void main(String[]args) {
        try {
            Security.addProvider(new BouncyCastleProvider());

            final ECGenParameterSpec ecGenSpec = new ECGenParameterSpec("sm2p256v1");
            final KeyPairGenerator kpg = KeyPairGenerator.getInstance("EC","BC");
            kpg.initialize(ecGenSpec);
            final KeyPair kp = kpg.generateKeyPair();
            final PublicKey pubKey = kp.getPublic();
            final byte[] pubKeyDer = pubKey.getEncoded();
            final SubjectPublicKeyInfo keyInfo = SubjectPublicKeyInfo.getInstance(pubKeyDer);
            final byte[] spkiDer = keyInfo.getEncoded();

            System.out.println("pubkey = "+ Hex.toHexString(pubKeyDer));
            System.out.println("spki = "+Hex.toHexString(spkiDer));

            final CertificateRequestMessageBuilder msgBuilder = new CertificateRequestMessageBuilder(
                    BigInteger.ONE);
            msgBuilder.setSerialNumber(BigInteger.ONE);
            msgBuilder.setPublicKey(keyInfo);

            CertificateRequestMessage crm = msgBuilder.build();
            System.out.println("CRM = "+Hex.toHexString(crm.getEncoded()));

            final DERTaggedObject snDto = new DERTaggedObject(false, 1, new ASN1Integer(BigInteger.ONE));
            System.out.println("SN DTO = "+Hex.toHexString(snDto.getEncoded()));

            final DERTaggedObject keyInfoDto = new DERTaggedObject(false, 6, keyInfo);
            System.out.println("PUB KEY DTO = "+Hex.toHexString(keyInfoDto.getEncoded()));

            final CertTemplateBuilder ctb = new CertTemplateBuilder();
            ctb.setSerialNumber(new ASN1Integer(BigInteger.ONE));
            ctb.setPublicKey(keyInfo);
            final CertTemplate ct = ctb.build();
            System.out.println("CT = "+Hex.toHexString(ct.getEncoded()));

        }
        catch (Throwable e) {
            e.printStackTrace();
        }
    }
}

Date: 2019-05-24 01:43
Subject: Re: [dev-crypto] Re: Re: why publickey sequence use DLSequence in CMP cr-CertTemplate entity ?
Hi David,
 
The code below shows this bad request generation formatting.
The same badness happens for RSA key too.
( KeyPairgenerator.getInstance("RSA","BC"); kpg.initialize(1024); )
 
Therefore the problem is probably in the CertTemplateBuilder.build() method.
Or more precisely the addOptional() method inside it:
    DERTaggedObject dto = new DERTaggedObject(false, 6, keyInfo);
 
Why does that encode the tagged thing incorrectly?
 
BR, Matti Aarnio
 
 
import java.math.BigInteger;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.PublicKey;
import java.security.Security;
import java.security.spec.ECGenParameterSpec;
 
import org.bouncycastle.asn1.DERTaggedObject;
import org.bouncycastle.asn1.crmf.CertTemplate;
import org.bouncycastle.asn1.crmf.CertTemplateBuilder;
import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
import org.bouncycastle.cert.crmf.CertificateRequestMessage;
import org.bouncycastle.cert.crmf.CertificateRequestMessageBuilder;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.util.encoders.Hex;
 
public class TestSM2Keygen {
 
    public static void main(String[]args) {
        try {
            Security.addProvider(new BouncyCastleProvider());
           
            final ECGenParameterSpec ecGenSpec = new ECGenParameterSpec("sm2p256v1");
            final KeyPairGenerator kpg = KeyPairGenerator.getInstance("EC","BC");
            kpg.initialize(ecGenSpec);
            final KeyPair kp = kpg.generateKeyPair();
            final PublicKey pubKey = kp.getPublic();
            final byte[] pubKeyDer = pubKey.getEncoded();
            final SubjectPublicKeyInfo keyInfo = SubjectPublicKeyInfo.getInstance(pubKeyDer);
            final byte[] spkiDer = keyInfo.getEncoded();
           
            System.out.println("pubkey = "+Hex.toHexString(pubKeyDer));
            System.out.println("spki = "+Hex.toHexString(spkiDer));
 
            final CertificateRequestMessageBuilder msgBuilder = new CertificateRequestMessageBuilder(BigInteger.ONE);
            msgBuilder.setPublicKey(keyInfo);
 
            CertificateRequestMessage crm = msgBuilder.build();
            System.out.println("CRM = "+Hex.toHexString(crm.getEncoded()));
           
            final DERTaggedObject dto = new DERTaggedObject(false, 6, keyInfo);
            System.out.println("DTO = "+Hex.toHexString(dto.getEncoded()));
           
            final CertTemplateBuilder ctb = new CertTemplateBuilder();
            ctb.setPublicKey(keyInfo);
            final CertTemplate ct = ctb.build();
            System.out.println("CT = "+Hex.toHexString(ct.getEncoded()));
           
        }
        catch (Throwable e) {
            e.printStackTrace();
        }
    }
}
Reply | Threaded
Open this post in threaded view
|

Re: Re: why publickey sequence use DLSequence in CMP cr-CertTemplate entity ?

David Hook-3
In reply to this post by Matti Aarnio

I'm not sure I understand this one. The object's correct - it's just
implicitly tagged. Can you expand on what you think the problem is?

Thanks,

David

On 24/5/19 3:43 am, Matti Aarnio wrote:

> Hi David,
>
> The code below shows this bad request generation formatting.
> The same badness happens for RSA key too.
> ( KeyPairgenerator.getInstance("RSA","BC"); kpg.initialize(1024); )
>
> Therefore the problem is probably in the CertTemplateBuilder.build() method.
> Or more precisely the addOptional() method inside it:
>     DERTaggedObject dto = new DERTaggedObject(false, 6, keyInfo);
>
> Why does that encode the tagged thing incorrectly?
>
> BR, Matti Aarnio
>
>
> import java.math.BigInteger;
> import java.security.KeyPair;
> import java.security.KeyPairGenerator;
> import java.security.PublicKey;
> import java.security.Security;
> import java.security.spec.ECGenParameterSpec;
>
> import org.bouncycastle.asn1.DERTaggedObject;
> import org.bouncycastle.asn1.crmf.CertTemplate;
> import org.bouncycastle.asn1.crmf.CertTemplateBuilder;
> import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
> import org.bouncycastle.cert.crmf.CertificateRequestMessage;
> import org.bouncycastle.cert.crmf.CertificateRequestMessageBuilder;
> import org.bouncycastle.jce.provider.BouncyCastleProvider;
> import org.bouncycastle.util.encoders.Hex;
>
> public class TestSM2Keygen {
>
>     public static void main(String[]args) {
>         try {
>             Security.addProvider(new BouncyCastleProvider());
>            
>             final ECGenParameterSpec ecGenSpec = new ECGenParameterSpec("sm2p256v1");
>             final KeyPairGenerator kpg = KeyPairGenerator.getInstance("EC","BC");
>             kpg.initialize(ecGenSpec);
>             final KeyPair kp = kpg.generateKeyPair();
>             final PublicKey pubKey = kp.getPublic();
>             final byte[] pubKeyDer = pubKey.getEncoded();
>             final SubjectPublicKeyInfo keyInfo = SubjectPublicKeyInfo.getInstance(pubKeyDer);
>             final byte[] spkiDer = keyInfo.getEncoded();
>            
>             System.out.println("pubkey = "+Hex.toHexString(pubKeyDer));
>             System.out.println("spki = "+Hex.toHexString(spkiDer));
>
>             final CertificateRequestMessageBuilder msgBuilder = new CertificateRequestMessageBuilder(BigInteger.ONE);
>             msgBuilder.setPublicKey(keyInfo);
>
>             CertificateRequestMessage crm = msgBuilder.build();
>             System.out.println("CRM = "+Hex.toHexString(crm.getEncoded()));
>            
>             final DERTaggedObject dto = new DERTaggedObject(false, 6, keyInfo);
>             System.out.println("DTO = "+Hex.toHexString(dto.getEncoded()));
>            
>             final CertTemplateBuilder ctb = new CertTemplateBuilder();
>             ctb.setPublicKey(keyInfo);
>             final CertTemplate ct = ctb.build();
>             System.out.println("CT = "+Hex.toHexString(ct.getEncoded()));
>            
>         }
>         catch (Throwable e) {
>             e.printStackTrace();
>         }
>     }
> }