Support ECDSA explicit curve parameters for ICAO 9303 certificates #885
Comments
|
Hi again: The erroneous certificates can`t be parser by java standard security provider. If we try it, we obtain: In the other hand OpenSSL and Bouncy Castle Security provider parse both certificates. I wish this info helps. |
|
Explicit curve parameters aren’t supported by the Golang x509 parser. RFC 5280 also doesn’t allow them. I think it is unlikely Zlint will add support for them. Is there a reason you are using explicit curve parameters? |
|
Hi, explicit curve parameters are a client requirement. Thanks by your fast answer. |
|
Can you expand on that any further? This is an effectively obsolete and unsupported feature, so I think it would be a big change to support it. Is there some ecosystem that uses this, and if so, why? |
|
The use case is to validate the certificate profiles used for signature processes included in ICAO 9303 - PKI for eMRTDS. |
|
thanks. For my own reference, that document is available in English at https://www.icao.int/publications/Documents/9303_p12_cons_en.pdf Specifically:
|
|
I've renamed the ticket to more accurately describe the issue at hand. |
mcpherrinm
changed the title
|
It's better so! Thanks again |
|
At some point, we're going to likely have our own more flexible ASN.1 parser (@dadrian is hacking on), but, for the time being, I think this is going to fall out of scope since the certificates violate 5280. |
When i try to analyze a pem certificate with Zlint i get this error.
time="2024-10-08T08:18:42+02:00" level=fatal msg="unable to parse certificate: asn1: structure error: tags don't match (6 vs {class:0 tag:16 length:320 isCompound:true}) {optional:false explicit:false application:false private:false defaultValue: tag: stringType:0 timeType:0 set:false omitEmpty:false} ObjectIdentifier @4"
Someone can help me??
thanks in advance.
The text was updated successfully, but these errors were encountered: