[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[IETF-PKIX] PKIX questions (DH key and Key Identifier)

Nada has asked me to post the following questions.  For some reason she is
prevented from talking on the list.


John



________________________________________________


To authors of part 1 on certificate and CRL profile,

I have two questions:

1. The first one is regarding the coding of SubjectPublicKey in case of DSA
and DH keys.
Section 7.3.3 states that:

   "The DSA public key shall be ASN.1 encoded as an INTEGER; this
   encoding shall be used as the contents (i.e., the value) of the
   subjectPublicKey component (a BIT STRING) of the SubjectPublicKeyInfo
   data element.

        DSAPublicKey ::= INTEGER -- public key Y"

However, section 7.3.2 uses completely different rules for coding
Diffe-Hellman public key, which is also an integer:

   "The Diffie-Hellman public key (an INTEGER) is mapped to a
   subjectPublicKey (a BIT STRING) as follows: the most significant bit
   (MSB) of the INTEGER becomes the MSB of the BIT STRING; the least
   significant bit (LSB) of the INTEGER becomes the LSB of the BIT
   STRING."

Is there any reason for this inconsistency?
It would be natural to code DH key in the same way as DSA key (and RSA key
which is a sequence of two ASN.1 coded integers).


2. My other question is partly related to the above discussion, but
regarding the algorithm for calculation of key identifier extensions.
Ipki-part1 describes only in one place the way of calculating the value of
key identifier. It is in section 4.2.1.2:

   "The subject key identifier extension provides a means of identifying
   the particular public key used in an application.  Where a reference
   to a public key identifier is needed (as with an Authority Key
   Identifier) and one is not included in the associated certificate, a
   SHA-1 hash of the subject public key shall be used.  The hash shall
   be calculated over the value (excluding tag and length) of the
   subject public key field in the certificate.  This extension should
   be marked non-critical."

I have a problem interpreting the sentence "The hash shall be calculated
over the value (excluding tag and length) of the subject public key field
in the certificate."

SubjectPublicKey is defined as a BIT STRING:

   SubjectPublicKeyInfo  ::=  SEQUENCE  {
        algorithm            AlgorithmIdentifier,
        subjectPublicKey     BIT STRING  }

and a value of the BIT STRING depends on the type of the public key. For
example for RSA keys it is:

      RSAPublicKey ::= SEQUENCE {
         modulus       INTEGER, -- n
         publicExponent     INTEGER  -- e }

So, I guess one should just take the value of bit string without its tag
and length. However, this value does not necessarily have to be the same as
the DER coding of RSAPublicKey.

>From an example RSA certificate in appendix D.3 subject public key is coded
as follows (page 107):

             { subject's public key }
             03 6b  BIT STRING length 107 bytes (856 bits)
                               0030 6802 6100 beaa 8b77 54a3 afca 779f
                               2fb0 cf43 88ff a66d 7955 5b61 8c68 ec48
                               1e8a 8638 a4fe 19b8 6217 1d9d 0f47 2cff
                               638f 2991 04d1 52bc 7f67 b6b2 8f74 55c1
                               3321 6c8f ab01 9524 c8b2 7393 9d22 6150
                               a935 fb9d 5750 32ef 5652 5093 abb1 8894
                               7856 15c6 1c8b 0203 0100 01

So, the value of bit string, without its tag and length, is:

                               0030 6802 6100 beaa 8b77 54a3 afca 779f
                               2fb0 cf43 88ff a66d 7955 5b61 8c68 ec48
                               1e8a 8638 a4fe 19b8 6217 1d9d 0f47 2cff
                               638f 2991 04d1 52bc 7f67 b6b2 8f74 55c1
                               3321 6c8f ab01 9524 c8b2 7393 9d22 6150
                               a935 fb9d 5750 32ef 5652 5093 abb1 8894
                               7856 15c6 1c8b 0203 0100 01

However, the coding of RSAPublicKey is only the part:

                               30 6802 6100 beaa 8b77 54a3 afca 779f
                               2fb0 cf43 88ff a66d 7955 5b61 8c68 ec48
                               1e8a 8638 a4fe 19b8 6217 1d9d 0f47 2cff
                               638f 2991 04d1 52bc 7f67 b6b2 8f74 55c1
                               3321 6c8f ab01 9524 c8b2 7393 9d22 6150
                               a935 fb9d 5750 32ef 5652 5093 abb1 8894
                               7856 15c6 1c8b 0203 0100 01

In other words, there is a difference in the first byte of the bit string
coding that tells how many bits in the last byte are unused (in the case of
sequence none - hence the zero byte to start bit string with).

My question is which of these two values should be used for the calculation
of key identifier?


I apologize for giving so many details, but I felt this is the easiest way
to explain the problem.



Regards,

Nada



 -------------------------------------------------------------------
| John Hughes             j.o.hughes@btinternet.com                 |
| ENTEGRITY Solutions     Home Office Tel:       +44(0)1525 380160  |
|                         Main Office Tel:       +44(0)181 876 8666 |
| www.entegrity.com       Mobile:                +44(0)468 055070   |
 -------------------------------------------------------------------