New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Incorrect Encoding of EC and EDDSA public keys #3000
Comments
Does anyone have access to an official version of ANSI X9.62? I found a draft online from 1997. Can someone verify that the official version says: "The elliptic curve public key (an ECPoint which is an OCTET STRING) is mapped to a subjectPublicKey (a BIT STRING)" This would also make more sense as RFC 8410 say EdDSA and ECDH:
|
See opensc issue OpenSC#3000 On branch X25519-improvements-2 Changes to be committed: modified: libopensc/card-openpgp.c modified: libopensc/pkcs15-pubkey.c modified: tools/pkcs11-tool.c modified: tools/pkcs15-init.c
See opensc issue OpenSC#3000 On branch X25519-improvements-2 Changes to be committed: modified: libopensc/card-openpgp.c modified: libopensc/pkcs15-pubkey.c modified: tools/pkcs11-tool.c modified: tools/pkcs15-init.c
See opensc issue #3000 On branch X25519-improvements-2 Changes to be committed: modified: libopensc/card-openpgp.c modified: libopensc/pkcs15-pubkey.c modified: tools/pkcs11-tool.c modified: tools/pkcs15-init.c
See opensc issue OpenSC#3000 On branch X25519-improvements-2 Changes to be committed: modified: libopensc/card-openpgp.c modified: libopensc/pkcs15-pubkey.c modified: tools/pkcs11-tool.c modified: tools/pkcs15-init.c
See opensc issue OpenSC#3000 On branch X25519-improvements-2 Changes to be committed: modified: libopensc/card-openpgp.c modified: libopensc/pkcs15-pubkey.c modified: tools/pkcs11-tool.c modified: tools/pkcs15-init.c
See opensc issue OpenSC#3000 On branch X25519-improvements-2 Changes to be committed: modified: libopensc/card-openpgp.c modified: libopensc/pkcs15-pubkey.c modified: tools/pkcs11-tool.c modified: tools/pkcs15-init.c
I dont have ANSI X9.6.2, but for example in the EC standard, referes to the fields as you describe: |
See opensc issue OpenSC#3000 On branch X25519-improvements-2 Changes to be committed: modified: libopensc/card-openpgp.c modified: libopensc/pkcs15-pubkey.c modified: tools/pkcs11-tool.c modified: tools/pkcs15-init.c
See opensc issue OpenSC#3000 On branch X25519-improvements-2 Changes to be committed: modified: libopensc/card-openpgp.c modified: libopensc/pkcs15-pubkey.c modified: tools/pkcs11-tool.c modified: tools/pkcs15-init.c
See opensc issue OpenSC#3000 On branch X25519-improvements-2 Changes to be committed: modified: libopensc/card-openpgp.c modified: libopensc/pkcs15-pubkey.c modified: tools/pkcs11-tool.c modified: tools/pkcs15-init.c
Problem Description
OpenSC has two ways to encode EC, EDDSA and XEDDSA public keys:
ANSI X9.62 says: "The elliptic curve public key (an ECPoint which is an OCTET STRING) is mapped to
a subjectPublicKey (a BIT STRING)"
PKCS11 says: `CKA_EC_POINT | Byte array | DER-encoding of ANSI X9.62 ECPoint value Q".
EC keys where first added to OpenSC in c34caeb in 2010-11-30 as:
The line above should have been:
RFC 8410 also uses a BIT STRING.
PKCS15-v1.1 defines:
where: "The value shall, in the IC card case, be a path to a file
containing either a value of type ECPublicKey, of type SubjectPublicKeyInfo, or (in the
case of a card capable of performing on-chip EC public-key operations) some card
specific representation of a public EC key." The raw or ECPublicKey are not further defined. But either may be written to the card.
Proposed Resolution
Correct the encoding for EC, EDDSA and XEDDSA format keys to encode using BIT STRING.
Change the decoding to accept a choice of BIT STRING or OCTET STRING, so as to continue
to work with cards where the data was written using OCTET STRING.
All EC, EDDSA and XEDDSA will use the same correct encoding.
Unresolved Issues
The value retuned for CKA_EC_POINT will change from an OCTET STRING to a BIT STRING. This may cause problems with calling applications which wrongly expect OCTET STRING but should only accept BIT STRING. (pkcs11-tool is the only application known to request CKA_EC_POINT. Libp11 and pkcs11-provider need to be checked.)
CKO_PUBLIC_KEY does NOT have a CKA_VALUE but in V2.40 and 3.0 does have a CKA_PUBLIC_KEY_INFO:
"Byte array DER-encoding of the SubjectPublicKeyInfo for this public key. (MAY be empty, DEFAULT derived from the underlying public key data)."
OpenSC implements for CKO_PUBLIC_KEY a CKA_VALUE and a CKA_SPKI (listed as a vendor attribute)
So would be easy to add CKA_PUBLIC_KEY_INFO.
Steps to reproduce
Best example of current method using OCTET STRING with openpgp on Yubikey with
brainpoolP256r1
:Tag: '04' OCTET STRING Length: 0x41 EC key in uncompressed format of: "04||x||y"
New proposed BIT STRING:
Tag: '03' BIT STRING Length: 0x42 Unused bits in last byte: '00' EC key in uncompressed format of: "04||x||y"
(The "260 bits" calculation need to be fixed.)
Other places in code need to be identified to handle the "Unused bits in last byte" and EDDSA and XEDDSA keys do not have a "uncompressed format '04' byte.
The text was updated successfully, but these errors were encountered: