Hi All,
I am working on an implementation of C509 based on
draft-ietf-cose-cbor-encoded-cert-03 and I wanted to report the issues
I've found.
First, there is a bug in the draft. In Figure 7, C509 Attributes in
section 11.2, there are two entries with tag 21, the Inc. Country and the
Domain Component. I suspect DC should be '22'?
The second issue I'm having is that the certificate example in Appendix
A.1.2 does not validate using the keys in Appendix A.1.3. I have
verified that the isserPublicKey is valid, and it's exactly what I create
when making the public key from the issuerPrivateKey. However, when I
attempt to validate the A.1.2 certificate using the issuerPublicKey the
signature is not valid.
I am computing the SHA256 hash of the TBSCertificate sequence as
b5bca215e1d1478d2fe7728a54089f2032a4a1a245fafb5bd21d9eeb9d076aed --
however I have no way to validate if this is correct.
Has anyone written a C509 parser and successfully validated this
certificate? If so, could you report what hash value you get from the
TBSCertificate sequence?
Thanks,
-derek
PS: I reported this directly to the authors last week, but figured I would
reach out to a wider audience for validation of my issue(s).
--
Derek Atkins 617-623-3745
[email protected] www.ihtfp.com
Computer and Internet Security Consultant
_______________________________________________
COSE mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/cose
