Possible inconsistencies in the provided samples.

[Honzaik]

Hello, I tried to implement composite signatures into BouncyCastle (https://github.com/bcgit/bc-java/pull/1546) according to the draft specification https://www.ietf.org/archive/id/draft-ounsworth-pq-composite-sigs-11.html. However, when I try to test compatibility with provided samples in Appendix A, I come across a few inconsistencies.

Let me preface this that I am a beginner to the topic of ASN.1 and this was my first attempt to implement something according to a X.509/ASN.1-related specification, so it most likely is a misunderstanding on my part but I guess at least I will learn something.

Public key format

From what I can tell, the sample public key for MLDSA44-ECDSA-P256-SHA256 is a SubjectPublicKeyInfo where the subjectPublicKey decodes into a SEQUENCE of 2 OCTET STRINGs but from Section 3.2 I understand that it should be a SEQUENCE of 2 BIT STRINGs.

See provided examples (decoded using https://lapo.it/asn1js):

Sample from RFC

My generated sample

Private key format

The provided private key for MLDSA44-ECDSA-P256-SHA256 is a PrivateKeyInfo where the privateKey decodes into a SEQUENCE of 2 OCTET STRINGs where the 1st string (Dilithium) doesn't seem to decode into anything (not really important as Dilithium formats are still experimental), and the 2nd string (ECDSA) decodes into what seems to be ECPrivateKey (https://datatracker.ietf.org/doc/html/rfc5915).

However, Section 3.3 states that privateKey should be a SEQUENCE of 2 OneAsymmetricKey (aka PrivateKeyInfo).

See provided examples:

Sample from RFC

My generated sample

Certificate format and signature validity

As a consequence of the issue with the public key format, the included certificate contains SubjectPublicKeyInfo with two OCTET STRINGs (instead of BIT STRINGs).

The more important issue is that even when I modified my implementation to parse the OCTET STRING public keys, the signature does not validate in both components. The Dilithium signature not validating can be explained by experimental implementation differences (your library vs BC's implementation), however, the ECDSA signature is also invalid.

I am not sure if that is an issue with my implementation (the main logic is here https://github.com/Honzaik/bc-java/blob/main/prov/src/main/java/org/bouncycastle/jcajce/provider/asymmetric/compositesignatures/SignatureSpi.java#L223) or the provided sample. I provide my self signed certificate sample below.

-----BEGIN CERTIFICATE-----
MIIPxzCCBeagAwIBAgIBBTAPBgtghkgBhvprUAgBBAUAMBIxEDAOBgNVBAMMB1JP
T1QgQ0EwHhcNMjQwMjA4MTA0MjE2WhcNMjQwMjI1MTEyMjQ1WjASMRAwDgYDVQQD
DAdST09UIENBMIIFgTANBgtghkgBhvprUAgBBAOCBW4AMIIFaQOCBSEAbBjwJ4KP
/W9bM1qi0wxfk1AtT7QgnRMUaWsdwOGEatOM4qDPJ0aM6hhMJH9t2yBV7uudt+pr
tFyYpyZpcDBKjKoWP6SthoriJzGYOIxZLrhwhU2tII3nyUk6v+0pdGAgUizRYRpO
Hu/VhmLw1MDDFaGrLcy+HxNAUncExJ8L2QkvEVs8royQnxQ0qRiJopPoqDLTxMHh
4tiDwpdSEAIWFPVtLcBoWLn6bBBSgQq+42PZJIg6yj3+26riHSZLFhTBqJhbIH3y
kdIcGieQTXMNAxpdVqo6studi5f7hxNs+0H/HEXtyivI0Uw7ySwgljLhHQpXPEM5
1MnAnhZU2MmXRGLLUj3o7U1Yr5wjlMbe6h4KDHYpj0yC2CfLXo6GxEp9RaEqK0d+
HD1iL9qf3K2DxZ237d6VhjCvO5Bj6BG99ludVvUeqt2ZbsIincZJVKbni+9iQZm5
FeidmYDmR0atrwoGSyGpqanx9E6PYS4kX1c8bqBKArhnFCKbVWgSwdiMY/ArgW8P
voXVwki63562XAdc4cVYQ7VPUIzh7KV7El/FVrIpYfXg1PWX4Vkl/C+B81HP/NA2
z4dpSMdCwEwO8gK/ikAKxKK1wngcfsntJY7y1wMuMnkq0hVCAHm5mqJ98vIdLGqg
iNeSPnb+i544s++zzhc57Xl7OUE6oDO/NakNgeC3DCWnOi++niwOtcgjdDUK4f8w
SXxoIIkRYZyhPu0rGBg3m6oF5KlZ3qzPhjmdQZmTxa4meRrOiW/JnqQy5CIAjo4B
YvB9Pnozx8a2wHOiymplwxnpT2QaAxtKIr9rvXeDq3eV5gb8t/HQ9aG83IqqMets
KaSpfDxhAAzyJADw6UCRgb/oEYS4uWEwOHAcf+S/QlMH1l01KXfLIjiveosOVWu8
wh5tZUKhqd+PxQUVul62YZryf3QEhf5C8yqBfLVp21jqNjHxnWofcEOhmDbqygVX
FUm0bAt+K6kMrtBDfT0jslj66PXgsmLoO4ba4ZUYfPJLu6afcEvLHFw8o/rMLKvR
k4ycySCMjACl++IjPxDWfpOx1EBsoIoP8/RRMCnDbJTu/hrzs+wtuwjkaFyoOdQh
wwx9vHafwmGrtM34dxubYDRCG4WZ0B3cAXMx5dqxz+a+2zMCHIfzPClYk9CAdoQN
R82jY3u84w0lk1VwwAK77LQYZHCGJKUhURiNyCiv+4cn8sbzK9SY+tM+TYp3+Zf1
0NVzhVInXjG0ORdPP+QqbSxiUSz8aO2ekHDjKMhr78cTG1n1iMK1l3H5EwHR2xVw
r5VbB9FiyMmUOrvuy3wVnrXSK97kI7y2z7AH8JCdVsfuc9IPSVvosZJA2f5maIq7
cUktS0SHC4QLCS1DAWwvnp/zaFcNzEdhJdJyZizU4HK3h3If/1ILdMA84EFAj1bH
eNti7YDRDHrvnWIAs4N4cQnAmSD7acQL2b8e3ghpFlhLsdb5CQ6u4XejpcOBMw4T
45CKsNRFMG8Jt25njRqWjGCA3T3CymCLL9tPub6mynP+2m6BvMpcf5Kt8mx3GKaP
7vXQSdnLvy0ryFKpZ6QO2HMTS/d7WpVDqAcgqHo4RHcx2Nen69IJtWe8K4FJa6Ej
LliVKImVBS/si/kGkgLNzl4dFMTLLM3pQD58nGHgH67E1GQIoCX64y1+cl04+vS8
6v3+wiVNczxMhdFNsj6rlyC1qO0kVnYhhMh3XDEp1Zqw560y7j4Hr+KV/eBEHsl2
7BqaapRgmnIsSQNCAAQdf+2mgJr7DjHsZbxexsyKFEpSrkqzVHDw5zUPE3VxKM1G
yeFMCC/aREdv4GC2ivN+DROVckhw5LZRGERK6X4LMA8GC2CGSAGG+mtQCAEEBQAD
ggnIADCCCcMDggl1AJPi96BeJGm5KTQBOlbLZBEUY1vlzfcR75zsQ+pQAiWNXlCx
skULPvlc1HFT8UHJ4cB1ik8vwplUs3z8n2qbfNz+d2i7kJstfkVJF75cw0HqcNx3
DqbZnaFw2RLs1n2qMoIaCEi7xxn7MBhE6QrYcP4Hi0V3MtukM1HxcyNMBNcvWhav
XurOjXBLZPIcHMhGniMH80apLWc6Z5o/zpT9f2rgeXpUBHw2N2+O/a8jL58feGmX
08SA0mVAo5kCHEq0FW+vQ82Kzos0sOuMURoSu7v0J+0AccI8lC5I/hyyzowCdKSz
tKV1QiF1ujV70eOkxaEdUJAXDhMfjf8UljMzeHewhPhEN1DvdDBvlhdiH4UsIvJt
6bfGBLR+/AIUDWq68LOozDUNwuMPOlAm2CmpoYsb59TySpfVVgS2twSAFA4qTx7h
K/qNnrfuOpEXCBDFlHSk9WTyxKgEjCMpJFtiXau5K9Vo9QxC06BCBco12cap2RxA
zUudh0AWoHhsRwTkJG0PAX5SAcLJW7FFx2Dmz7Yv6ZPVFo34B09DJ0xm0LoVQNbk
R5LwrbomyWDWSwrVybKE9gAB97QUDosOH1XiknAC/rImDBZs5TkZCXHtAk14FopP
Yvkb9vzShbKJdYg+ileU9dDpazuT3Ij3fk+wCxjBlltnN+wgaJj4ec8uYDEJJnq4
IAzi7uxfUlOz4/tXnrU/drxbXgB2WD4PfTwxjG4SxpCYk9IWbdLVhE8Lwl4+UT9K
rBwmi4iAnJGOwIPt4p9V8SO4NupnYgmI70+NVFQh2v06zIRKiduNQ2e7BubppZp2
4xabRq6ExyV8m+GjtxByPLqLI5DuvAdnDtBNRSugLKcU7pzLIAaYjAetk8g+w2Rf
hkRx9KSwdvCeGYUTq/rqkrOx/v/LWFLwYZ3sCjob/B4m8xJM/hcm92Au+l8DNykI
aXds6k3IcvSRFs0X1jLeO93/usguTnaZFbI4u+BvAkx//nM2BXnEBliFXtsythF1
8OH2m5T4FgxRIBDs4KssMazf9co0qO+GEljE+HGbzB9/Cx39a0xHk3Ju/NdwTNON
M+5gUMR8gBqf2jWhCvvLztGRK9+vZvXXLe5UJAlf1Uql3Er1WAW/2O7D69CMOm17
/poPj74p3s2LfnDIxUMESZEcre/c17AbRF26We5hp/ISNxH07rstzdPJrHtqSwJy
1ffkUSPQaWmIK1NQJFW0PMyRvM4Z20dj0rXTEHOFOqodUw+xrZjg5VGX00KIfGXU
nNpo0l3d4M8DsX7UZeS+ZhE51cjKDouJ9OGrGDDXf5+5z949rTES7mz/6obe05E6
Qkpcca34HixK+3kpKXRu/UoPMvn4zkU5dvelA63VyigSF2k3K5mie2LXabnPL7Sz
w7GeQdkmI7gqnj1rpp3RWdPI4+bcgwkvGedHbmy0Ue3jE/aZdooB1R3MY5DaNABn
gZhMNdPDp6NJm8zYgXjaqOXwzAmcnJfvu647RZA6cXvLisVcq7iYYDqs2FeN+w63
FA/C1OGf0fII1BaBPr6hrTZvAtq+ejNY9F3Wh8L3gmeNhLYtNCTz7AAF4HuAWlIi
yKoI1wCEEKKB4yQm73LWo9xDYCxtPXyX0PAfod3/GRK1I+rhJuFkqp7b0ztbY3mm
H3aiNp6NcBH/OZs8C9MEpESdysxPrsPbWD4o3nLB9zFg8dPlLo2fi1XrFngCybS6
66YzB9q+2qhBQpCuYRYGbAWF9xNid5NsS5G7RFM7AdbVN/2xcNnX5MihO5jY2KhP
hB6+Ai6tuH9uqvQteg9s8VpWpa1OXf4I8aX5Mc1qDvjnwX18Ke42vrW4i3lSLlHO
km8UlY8DcLmwgvLFP1ajiDLZcFVflPz4KbbbYd0fafxxLXY8c2IjLd5gGk2rT0Uk
Fjv5ev4MJ7wRo9lTCYvc19nYLxzbm6I0GY2W2E4gkZwze2YPPieNF5rRvXpLcwXg
rZjZnjU4D+RYv8wO41LIto/ovJ4oBrfGatkqNRIdk6BgYfUoA5ZHVLvKCPnqDKgn
eH26bczbc7KGCsQl1x6Y353ginfVvE+tKxEExZGmvqN8jV6qylRbyr8O2KjnP1QS
aFlf+4tmXDUbsItK0uSKa5EOOdivrmC+/I9n2oe2Y0Tyzkf40i3nJ1UiJMW2Q+wl
78E1ZligIdqCrMABEiBbUYCsXvlWNG4ZvpWcbbb5K2kinq4LnRYJ9lCnyWPuL9wQ
mXFET0fZt2D/derdnwEht6+t7mPAjYlEM+DDfjLUSKjXJ2eRPR7Ck3T/mJvbBAtl
U3Ew9zOa824p1yH3nxsh7kwR8BwckyQPXv+9iadp2bz8NOW29BqNXMit6FUhveZ2
jt7rG3SHnp3XwXCYTdpYLwVTBOlidvUf6tw1xJtRopb0bbQLkyGjxNr28DMqTkHY
1OlFoDqdUuTbdYRdITHtrkC1SJUTEVxLPdewELkUSztp/7lUVpzHPwt8/H0bS2zc
qVmLp5VGPlhqP7V5Dq1ZHs8QVz6NLoD+deUCW02YQvH9EVv46kr0XUrLnALagJ0N
drbH2johlEiKS9URxGSIjMd0WITyZjH9kWspM8RSSB/msG+zhRndl3wX8rZTU5mq
aXSyCETWEIkZ3c3UoyycUkjdOMaV9mDSvItQfBIdweARXhAzKVYqOtzB/bA8qZ/+
mefACQ2ijLW0z2Z7GEOeAdRQraht9Y02FWQvtOH0EDv88QbBC6GCch+2n64NZKlx
5aDTbdpHopLzOgoR84/mkx3MzWwjMpnZlwlojoDKjjqJgtO7sKObHaaSzNCJoZbN
KlwE6kDgaZqc9tMnzwSj4KnflBk+3xUE5ynqYbenWQkJuplZVlPR9IuSY9mqoxuJ
pFK6xzPRXHzRRK69NhC+6B3LMPmVwC1dU6ZhN6g9QLaG4UwrXJf6vL56mywzK26+
g5bTScFzUrRQamaYIvosGe9+tQoU7z6BXjviao9hqhghkRey9AlRUtlL6MwvHykY
AyY9v5QK67UJHWgal1K3ufRcobVd2Mif9+fkUOmHKQml40kWdFP2HJZ7Jo3Jmamv
eThJLjAjYlqVgGqd0Enz2M5LFcaBUvZO/OnYwr+kbTS6D/9Nk3J56358/NIYAhRI
W2R6fr3FxuHj7RUiUXicocHF6+zy8xETFTlZcHSVore61ufxDSM0N0FTaWyEs7X/
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAANGSczA0gAMEUCIExm7eRgVYXh
TLJ0IPHKXNO4oahKkgJPAgDHaMlo6f+fAiEAvW2RaHsZK9g26XWGxaIQvdj2jO1r
yIoOD/jVCpxqxEE=
-----END CERTIFICATE-----

I'd be happy if someone could clear this up for me. Thank you

[johngray-dev]

Thank you for pointing out this issue, you are correct and we will correct this issue in the next version of the draft. We have been working on PQ interoperability with the IETF and have a github repo of artifiacts (some which are composite). Composite has undergone a number of version changes, so some of the composite artifacts may be older (and not work with the latest version). We would love it if you could post some of your produced keys and certificate samples for composite to this repository so other implementations could be tested with your implementation. Our repository is here: https://github.com/IETF-Hackathon/pqc-certificates.

[johngray-dev]

We are in the process of updating the -13 document and should have updated samples within the IETF deadline.

[Honzaik]

Thank you for the information. I will provide my samples to the pqc-certificates repo ASAP when I update the library to the up-to-date draft.

[johngray-dev]

Added updated sample to latest version #141

[johngray-dev]

Thanks for all your help Honzaik! What is your full Name (first last)? If you would like, I'll add your name to the contribution section of the document (near the end).

[Honzaik]

My full name is "Jan Oupický" and (if you also include the information) I am affiliated with the University of Luxembourg. Thanks!

[johngray-dev]

Thanks! I had to publish the -13 version yesterday, but I’ll make a note to include your name in the next version. 😊 I think the included samples should be compliant to -13, and I did check your certificate example and verified it was doing the DER (OID) || Message with the hashing correctly. So I think you should probably be able to verify the samples that are now in the latest draft update. Thank you so much for your help in this effort!

By the way, we are having our next IETF hackathon in a couple weeks as part of IETF 119. A number of us will be remote (myself included), and joining the hackathon is free, so if you would like to participate you are most welcome! https://wiki.ietf.org/meeting/119/hackathon

Our project is called “Post-Quantum Cryptography (PQC) in X.509, Signatures, KEMs, and protocols”

Our Github repo is here, and you are welcome to post artifacts. Let me know if you are interested and I’ll add you to our Git repository as a contributor. https://github.com/IETF-Hackathon/pqc-certificates

Cheers,

John Gray

From: Honzaik @.> Sent: Tuesday, March 5, 2024 3:36 AM To: EntrustCorporation/draft-ounsworth-composite-sigs @.> Cc: John Gray @.>; State change @.> Subject: [EXTERNAL] Re: [EntrustCorporation/draft-ounsworth-composite-sigs] Possible inconsistencies in the provided samples. (Issue #130)

My full name is "Jan Oupický" and (if you also include the information) I am affiliated with the University of Luxembourg. Thanks! — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you modified

My full name is "Jan Oupický" and (if you also include the information) I am affiliated with the University of Luxembourg. Thanks!

— Reply to this email directly, view it on GitHubhttps://urldefense.com/v3/__https:/github.com/EntrustCorporation/draft-ounsworth-composite-sigs/issues/130*issuecomment-1978217828__;Iw!!FJ-Y8qCqXTj2!cdB5PRKDzi3DZ7TD5q_P6h5NDj-JRDk5X3i94EuaXZhwze7f0ui3wXnCQstXXzFhh3FW1xYLXxr4z6LhjYPYLw5UyQ$, or unsubscribehttps://urldefense.com/v3/__https:/github.com/notifications/unsubscribe-auth/ANFGAWLC7OO4IFOEX7ENCFLYWV7VTAVCNFSM6AAAAABDACH2P6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSNZYGIYTOOBSHA__;!!FJ-Y8qCqXTj2!cdB5PRKDzi3DZ7TD5q_P6h5NDj-JRDk5X3i94EuaXZhwze7f0ui3wXnCQstXXzFhh3FW1xYLXxr4z6LhjYNdH-IHcw$. You are receiving this because you modified the open/close state.Message ID: @.**@.>>

Any email and files/attachments transmitted with it are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.

[Honzaik]

Yes, I just updated the BouncyCastle implementation and it verifies!

The only possible inconsistency I found is in the encoding of the Dilithium component private key but that needs to be sorted out on the lower level (Dilithium private key encoding).

Thank you for the invitation, unfortunately I am on vacation during that time. I'll try to join next time!

Regarding the artifacts, I'll read through the documentation and try to produce them. The only thing I am unsure about is what would my artifacts classify as because my pull request is still pending in the BouncyCastle repository, so it is technically not part of BouncyCastle (yet?). I don't know if the maintainers have plans to merge it or not.

Cheers