Closed Honzaik closed 4 months ago
Thank you for pointing out this issue, you are correct and we will correct this issue in the next version of the draft. We have been working on PQ interoperability with the IETF and have a github repo of artifiacts (some which are composite). Composite has undergone a number of version changes, so some of the composite artifacts may be older (and not work with the latest version). We would love it if you could post some of your produced keys and certificate samples for composite to this repository so other implementations could be tested with your implementation. Our repository is here: https://github.com/IETF-Hackathon/pqc-certificates.
We are in the process of updating the -13 document and should have updated samples within the IETF deadline.
Thank you for the information. I will provide my samples to the pqc-certificates repo ASAP when I update the library to the up-to-date draft.
Added updated sample to latest version #141
Thanks for all your help Honzaik! What is your full Name (first last)? If you would like, I'll add your name to the contribution section of the document (near the end).
My full name is "Jan Oupický" and (if you also include the information) I am affiliated with the University of Luxembourg. Thanks!
Thanks! I had to publish the -13 version yesterday, but I’ll make a note to include your name in the next version. 😊 I think the included samples should be compliant to -13, and I did check your certificate example and verified it was doing the DER (OID) || Message with the hashing correctly. So I think you should probably be able to verify the samples that are now in the latest draft update. Thank you so much for your help in this effort!
By the way, we are having our next IETF hackathon in a couple weeks as part of IETF 119. A number of us will be remote (myself included), and joining the hackathon is free, so if you would like to participate you are most welcome! https://wiki.ietf.org/meeting/119/hackathon
Our project is called “Post-Quantum Cryptography (PQC) in X.509, Signatures, KEMs, and protocols”
Our Github repo is here, and you are welcome to post artifacts. Let me know if you are interested and I’ll add you to our Git repository as a contributor. https://github.com/IETF-Hackathon/pqc-certificates
Cheers,
John Gray
From: Honzaik @.> Sent: Tuesday, March 5, 2024 3:36 AM To: EntrustCorporation/draft-ounsworth-composite-sigs @.> Cc: John Gray @.>; State change @.> Subject: [EXTERNAL] Re: [EntrustCorporation/draft-ounsworth-composite-sigs] Possible inconsistencies in the provided samples. (Issue #130)
My full name is "Jan Oupický" and (if you also include the information) I am affiliated with the University of Luxembourg. Thanks! — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you modified
My full name is "Jan Oupický" and (if you also include the information) I am affiliated with the University of Luxembourg. Thanks!
— Reply to this email directly, view it on GitHubhttps://urldefense.com/v3/__https:/github.com/EntrustCorporation/draft-ounsworth-composite-sigs/issues/130*issuecomment-1978217828__;Iw!!FJ-Y8qCqXTj2!cdB5PRKDzi3DZ7TD5q_P6h5NDj-JRDk5X3i94EuaXZhwze7f0ui3wXnCQstXXzFhh3FW1xYLXxr4z6LhjYPYLw5UyQ$, or unsubscribehttps://urldefense.com/v3/__https:/github.com/notifications/unsubscribe-auth/ANFGAWLC7OO4IFOEX7ENCFLYWV7VTAVCNFSM6AAAAABDACH2P6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSNZYGIYTOOBSHA__;!!FJ-Y8qCqXTj2!cdB5PRKDzi3DZ7TD5q_P6h5NDj-JRDk5X3i94EuaXZhwze7f0ui3wXnCQstXXzFhh3FW1xYLXxr4z6LhjYNdH-IHcw$. You are receiving this because you modified the open/close state.Message ID: @.**@.>>
Any email and files/attachments transmitted with it are intended solely for the use of the individual or entity to whom they are addressed. If this message has been sent to you in error, you must not copy, distribute or disclose of the information it contains. Please notify Entrust immediately and delete the message from your system.
Yes, I just updated the BouncyCastle implementation and it verifies!
The only possible inconsistency I found is in the encoding of the Dilithium component private key but that needs to be sorted out on the lower level (Dilithium private key encoding).
Thank you for the invitation, unfortunately I am on vacation during that time. I'll try to join next time!
Regarding the artifacts, I'll read through the documentation and try to produce them. The only thing I am unsure about is what would my artifacts classify as because my pull request is still pending in the BouncyCastle repository, so it is technically not part of BouncyCastle (yet?). I don't know if the maintainers have plans to merge it or not.
Cheers
Hello, I tried to implement composite signatures into BouncyCastle (https://github.com/bcgit/bc-java/pull/1546) according to the draft specification https://www.ietf.org/archive/id/draft-ounsworth-pq-composite-sigs-11.html. However, when I try to test compatibility with provided samples in Appendix A, I come across a few inconsistencies.
Let me preface this that I am a beginner to the topic of ASN.1 and this was my first attempt to implement something according to a X.509/ASN.1-related specification, so it most likely is a misunderstanding on my part but I guess at least I will learn something.
Public key format
From what I can tell, the sample public key for MLDSA44-ECDSA-P256-SHA256 is a SubjectPublicKeyInfo where the subjectPublicKey decodes into a SEQUENCE of 2 OCTET STRINGs but from Section 3.2 I understand that it should be a SEQUENCE of 2 BIT STRINGs.
See provided examples (decoded using https://lapo.it/asn1js):
Sample from RFC
My generated sample
Private key format
The provided private key for MLDSA44-ECDSA-P256-SHA256 is a PrivateKeyInfo where the privateKey decodes into a SEQUENCE of 2 OCTET STRINGs where the 1st string (Dilithium) doesn't seem to decode into anything (not really important as Dilithium formats are still experimental), and the 2nd string (ECDSA) decodes into what seems to be ECPrivateKey (https://datatracker.ietf.org/doc/html/rfc5915).
However, Section 3.3 states that privateKey should be a SEQUENCE of 2 OneAsymmetricKey (aka PrivateKeyInfo).
See provided examples:
Sample from RFC
My generated sample
Certificate format and signature validity
As a consequence of the issue with the public key format, the included certificate contains SubjectPublicKeyInfo with two OCTET STRINGs (instead of BIT STRINGs).
The more important issue is that even when I modified my implementation to parse the OCTET STRING public keys, the signature does not validate in both components. The Dilithium signature not validating can be explained by experimental implementation differences (your library vs BC's implementation), however, the ECDSA signature is also invalid.
I am not sure if that is an issue with my implementation (the main logic is here https://github.com/Honzaik/bc-java/blob/main/prov/src/main/java/org/bouncycastle/jcajce/provider/asymmetric/compositesignatures/SignatureSpi.java#L223) or the provided sample. I provide my self signed certificate sample below.
I'd be happy if someone could clear this up for me. Thank you