Thank you, Joel! I can confirm that with this change the signature does indeed validate in my code tests.
-derek On Mon, April 25, 2022 1:32 pm, Joel Höglund wrote: > A big thank you Derek, for your observation of the non validating > signature! > > The source of the bug was as mundane as a copy-paste error between draft > versions quite a while back, that obviously had gone unnoticed until now. > A > correct signature for the current sample native C509 certificate is: > > R = 4EFCEE214E2F3EB94BBDAE43C1948D144140233FC52FAC37428ED4BD8A050C5D > S = F980DF51B71C70D32B3E92D56A6C7AB0D2671B2B865A35B2E2CA421D44C5C93F > > <=> > > 0, > h'01f50d', > "RFC test CA", > 1577836800, > 1612224000, > h'0123456789AB', > 1, > h'02B1216AB96E5B3B3340F5BDF02E693F16213A04525ED44450 > B1019C2DFD3838AB', > 1, > 0, > h'4EFCEE214E2F3EB94BBDAE43C1948D144140233FC52FAC3742 > 8ED4BD8A050C5DF980DF51B71C70D32B3E92D56A6C7AB0D267 > 1B2B865A35B2E2CA421D44C5C93F' > > I apologize to you and anyone who spent time on this, updates with > corrections will soon be on their way. And should you find anything else > that seems strange we are very interested to know. > > Best Regards > > Joel Höglund > > On Mon, 25 Apr 2022 at 14:38, Derek Atkins <[email protected]> wrote: > >> Hi All, >> >> I am working on an implementation of C509 based on >> draft-ietf-cose-cbor-encoded-cert-03 and I wanted to report the issues >> I've found. >> >> First, there is a bug in the draft. In Figure 7, C509 Attributes in >> section 11.2, there are two entries with tag 21, the Inc. Country and >> the >> Domain Component. I suspect DC should be '22'? >> >> The second issue I'm having is that the certificate example in Appendix >> A.1.2 does not validate using the keys in Appendix A.1.3. I have >> verified that the isserPublicKey is valid, and it's exactly what I >> create >> when making the public key from the issuerPrivateKey. However, when I >> attempt to validate the A.1.2 certificate using the issuerPublicKey the >> signature is not valid. >> >> I am computing the SHA256 hash of the TBSCertificate sequence as >> b5bca215e1d1478d2fe7728a54089f2032a4a1a245fafb5bd21d9eeb9d076aed -- >> however I have no way to validate if this is correct. >> >> Has anyone written a C509 parser and successfully validated this >> certificate? If so, could you report what hash value you get from the >> TBSCertificate sequence? >> >> Thanks, >> >> -derek >> >> PS: I reported this directly to the authors last week, but figured I >> would >> reach out to a wider audience for validation of my issue(s). >> >> -- >> Derek Atkins 617-623-3745 >> [email protected] www.ihtfp.com >> Computer and Internet Security Consultant >> >> _______________________________________________ >> COSE mailing list >> [email protected] >> https://www.ietf.org/mailman/listinfo/cose >> > -- Derek Atkins 617-623-3745 [email protected] www.ihtfp.com Computer and Internet Security Consultant _______________________________________________ COSE mailing list [email protected] https://www.ietf.org/mailman/listinfo/cose
