search

PeculiarVentures / x509

@peculiar/x509 is an easy to use TypeScript/Javascript library based on @peculiar/asn1-schema that makes generating X.509 Certificates and Certificate Requests as well as validating certificate chains easy
https://peculiarventures.github.io/x509/
MIT License
78 stars 10 forks source link

Seemingly invalid AlgorithmIdentifier ASN.1 encoding #9

Closed fmonniot closed 3 years ago

fmonniot commented 3 years ago

Hello there,

I was trying to use the ecdsa-with-SHA256 algorithm to sign my certificates, but it seems the ASN.1 encoding generated includes a NULL attribute. For example here is the beginning of a certificate as generated by this library:

    0:d=0  hl=4 l= 449 cons: SEQUENCE
    4:d=1  hl=4 l= 357 cons:  SEQUENCE
    8:d=2  hl=2 l=   3 cons:   cont [ 0 ]
   10:d=3  hl=2 l=   1 prim:    INTEGER           :02
   13:d=2  hl=2 l=   8 prim:   INTEGER           :19F2B75E93D0686D
   23:d=2  hl=2 l=  12 cons:   SEQUENCE
   25:d=3  hl=2 l=   8 prim:    OBJECT            :ecdsa-with-SHA256
   35:d=3  hl=2 l=   0 prim:    NULL
   37:d=2  hl=2 l=  34 cons:   SEQUENCE

I generated another certificate through another source and that one doesn't have the NULL attribute:

    0:d=0  hl=4 l= 480 cons: SEQUENCE
    4:d=1  hl=4 l= 390 cons:  SEQUENCE
    8:d=2  hl=2 l=   3 cons:   cont [ 0 ]
   10:d=3  hl=2 l=   1 prim:    INTEGER           :02
   13:d=2  hl=2 l=   8 prim:   INTEGER           :19F2B75E93D0686D
   23:d=2  hl=2 l=  10 cons:   SEQUENCE
   25:d=3  hl=2 l=   8 prim:    OBJECT            :ecdsa-with-SHA256
   35:d=2  hl=2 l=  34 cons:   SEQUENCE

Reading RFC3279, it seems the parameters field must not be present. I modified https://github.com/PeculiarVentures/x509/blob/69ee3ff4467c4fe5cffa2ea7449851954bc45e26/src/ec_algorithm.ts#L21-L29 locally by using undefined instead of null and it seems to remove the NULL field.

Is it something you'd consider accepting in the library? If not, is there a way to overrides the default algorithm mapping ?

Thanks !

microshine commented 3 years ago

@fmonniot Thank you for pointing to this issue

RFC5480 says that ECDSA parameters are ABSENT. I fixed the problem and published the new version @peculiar/x509@1.3.2

SEQUENCE :
  OBJECT IDENTIFIER : 1.2.840.10045.4.1

is there a way to overrides the default algorithm mapping?

This module uses DI. It makes it possible to replace implementations in runtime. 

import { diAlgorithm } from "@peculiar/x509";
import { container, injectable } from "tsyringe";

@injectable()
export class EcAlgorithmEx extends EcAlgorithm {
 // your own implementation here
}

// Register algorithm provider
container.registerSingleton(diAlgorithm, EdAlgorithm);
fmonniot commented 3 years ago

Thank you, the new version does fix my issue. Thanks for pointing out how to work with the DI solution, much appreciated !