search

google / certificate-transparency

Auditing for TLS certificates.
https://certificate.transparency.dev
Apache License 2.0
870 stars 283 forks source link

API for public-key + algorithm #105

Open pphaneuf opened 10 years ago

pphaneuf commented 10 years ago

I'm in-lining the patch since it's more for discussion.

The ASN.1 for the PK algorithm is an OID, plus "optional parameters" followed by an opaque-type of "bit string". Each algorithm type is suppose to define it's own interpretation of the optional parameters and the bit-string.

For RSA, optional parameters are not used (?) For RSA, the public is a sequence of two integers

For DSA, optional parameters apparently it encodes "p,q,g" For DSA, the public key is a single integer

For EC-PUB... it looks like a science project to extract the fields.

The code below doesn't convert bitstrings that aren't a multiple of 8 (unlikely to find any.. I put an assert in, but should throw an exception instead). It also separates the algorithm (cheap) from the public key (maybe not cheap). it works "fine" on RSA and DSA keys, but it explodes on EC-PUB since I need to write a DER/ASN1 spec for it.

The "dumb api" might be just a tuple of (algorithm-name, byte-string) and let the caller DER-it or whatever. the smart API might be breaking apart the bitstring by algorithm-type, and returning a table of fields (e.g. (rsa, {'p'=1234.., 'q'=213214, 'e'=3, etc})

To make like more interesting, certs are just missing algorithm info completely (these are more generated test certs to test bugs etc, and not really used on the web).

What are you thoughts on this API? I'm happy to hack on it..

nickg

pphaneuf commented 10 years ago

(Routing to Emilia for review)

pphaneuf commented 10 years ago

I haven't forgotten about this, just working my way through a backlog.