Part 15 Key Lengths validation check

[LizHahessy]

At S-100 WG8 the following action was agreed: S-100WG8 approved the proposals:

1. To clarify Part 15 to state 2028 bit keys with a 256 bit q parameter.
2. To clarify the openssl commend used to generate DSA parameters in Part 15.
3. Key length tests to be added to the S-100 level validation tests.

S-100 Validation sub group to ensure that a check is written to cover this, following revision of S-100 5.2.0 Part 15.

[robertsandvik]

I think that this validation check should be reviewed to reflect changes introduced in S-100e5.2 part 15 where some of the algorithms were changed for Digital Certificates and Digital Signatures. A generic list of possible validation tests related to part 15 could be:

• Check that the encoded DataServer certificate encoded in the CATALOG.XML and CATALOG.SIGN is for the correct edition of S-100 (note that different editions of S-100 use different algorithms and key lengths; S-100e4: DSA and 1024 bits; S-100e5.0/5.1: DSA 2048 bits; S-100e5.2: ECDSA P-384)
• Check that the Data Server certificate in use has been issued by IHO as scheme administrator in CATALOG.XML and CATALOG.SIGN (certificates must be encoded as , otherwise it is not the IHO protection scheme)
• Authenticate that IHO has issued the Data Server certificate (e.g. can use the the following openssl command: openssl verify -verbose -CAfile IHO-S100ed5.2-root.CRT dataserver.crt
• Check the validity of the Data Server certificate; e.g. certificate duration (openssl x509 -noout -in dataserver.crt -dates)
• Check that the digital signature reference encoded in CATALOG.XML is ECDSA-384-SHA2
• Authenticate the signature of all the referenced file(s) in CATALOG.XML and CATALOG.SIGN
• Check the Data Server certificate has proper encoding of Data Server roles (encoded in the Certificate "State or Province" field) and Data Server producer code (encoded in the Certificate "Common Name" field). These are some of the new issues defined in som other S-164 tests and used to determine if the dataset is official or not

[MikusRL]

@LizHahessy We will wrap the above up in the validation checks in the form as needed for the excel spreadsheet and will send it to you. Unless anyone has any arguments to the changes @robertsandvik has proposed versus the ones that were requested by the S-100 WG8, I suggest that this case can be closed, as the validation checks proposed by @robertsandvik will include the requested check.

[LizHahessy]

Primar to supply Part 15 checks, which will include Key Length checks. They will be available for comment/review once received. Closed issue.