Closed Ulrar closed 4 years ago
hannesm
commented
6 years ago When I decode the above certificate with openssl, it shows an ECC key. X.509 does not support ECC right now (the reason is that the used crypto layer does not have ECC support, see https://github.com/mirleft/ocaml-nocrypto/issues/95 - which is required to support verify and sign operations). I still hope we'll get reasonable ECC support in OCaml soon.
hannesm
commented
5 years ago I looked again into this issue and the above certificate. My earlier assessment is wrong, the provided certificate contains a public key, but is signed with an RSA key. The reason why this certificate fails to parse is that the AlgorithmIdentifier is not followed by the mandatory (!?) param field set to NULL. I'm in the process of figuring out whether the NULL is actually mandatory (RFCs are slightly contradictory, lots of implementations seem to use/require NULL).
hannesm
commented
4 years ago since I comment here every 8-9 months, let me add some more information. the NULL is indeed optional, but due to some technical issues this is not easy to express in asn1-combinators at the moment -- an attempt to cope with it is in #114 which convolutes the implementation quite a bit. I'll later think about this issue again and may include a patch for the next release.
Hi,
I'm trying to implement the server side of U2F in ocaml, and for that I have to verify a signature. I'm trying to import the pem certificate provided by the hardware token, but it seems like the library is failing to parse it. It looks like this (that's the example certificate from the yubico docs) :
It seems valid when I decode it with openssl, so I assume the problem must be what it contains. Do you have by any chance an idea about what makes the parsing fail ? I've read in the doc some X503v3 extensions aren't supported, and that certificate seems to have some. Or is it the public key's format ?