ocaml-x509 icon indicating copy to clipboard operation
ocaml-x509 copied to clipboard

Published 20 hours ago verified publisher icon mirleft

String

Open dinosaure opened this issue 1 year ago • 3 comments

On top of #166

dinosaure avatar Mar 22 '24 10:03 dinosaure

The ecdsa_sig stuff is a bit horrible.. I'm unsure whether we should go through Z instead? The downside is that we would construct a Z just to validate (non-negative) and deconstruct it again -- and on the encoding site, just to add or remove some 0x00...

What needs to be done for encoding:

  • if the signature has the high bit set of the first byte, we need to prepend a 0x00 byte (to avoid that being treat as a negative number)
  • if the signature has leading 0x00 bytes, they should be removed (unless the next byte is > 0x7F, where again we need a 0x00 in front) <- this may happen if the signature simply has some leading 0s...

For decoding, the asn.1 integer already takes care of avoiding the redundant form (no superfluous leading 0x00 bytes) -- all we need to check that nobody gave us a negative number (thus first byte must be < 0x80). We cut away a potentially leading 0 since mirage-crypto-ec doesn't like these potentially too long (in terms of too many bytes, although they are 0) values...

hannesm avatar Apr 04 '24 21:04 hannesm

Still issues on 32bit architectures and ppc64... need to investigate, will do with some local system to test with.

hannesm avatar Apr 08 '24 08:04 hannesm

Tested locally with docker and mirage/mirage-crypto#226 and it's work :tada:.

dinosaure avatar Apr 20 '24 12:04 dinosaure

The last commit represents a serial number to be an unsigned integer with at most 20 octets. This is a breaking change, and makes the behaviour more strict in respect to RFC 5280. Taking into consideration that e.g. the NSS trust anchors serials are fine, my plan is to document and release, and if there's pushback we will revise the checks.

hannesm avatar Jun 11 '24 08:06 hannesm

I removed the pin depends. This looks good to go, all we need is a changes entry, and a decision whether to add #164 to the release (it'll be a 1.0, I'm happy to include #164).

I'm fine to merge, I can as well tag a release on Github once we're good. Since I don't have my laptop this month, I won't be able to do a dune-release / opam-publish (or PR to opam-repository), but I'm sure once a release is here someone (@dinosaure ?) can run opam-publish to get something onto opam-repository.

hannesm avatar Jul 17 '24 10:07 hannesm

Yes, if the tag is available and the tarball, I will be happy to make a release into opam-repository then :+1:

dinosaure avatar Jul 17 '24 12:07 dinosaure

thanks a lot

hannesm avatar Jul 18 '24 10:07 hannesm