Comments (11)
hannesm
commented on July 28, 2024
1
in Private_key.sign, the Public_key.trunc is applied as well before the Dsa.sign is called (part of 793b166). So the code you refer to is now different :)
But indeed I have not written a test for this.
from ocaml-x509.
hannesm
commented on July 28, 2024
Oh, thanks for opening the issue. I'm travelling and will be back next week. If I understand you correctly, this is best be fixed in mirage-crypto-ec (since it affects any ECDSA signature)? Do you have any test vector for this?
from ocaml-x509.
torinnd
commented on July 28, 2024
Mirage-crypto-ec's [verify] interface implies to me that it is up to callers to ensure their [digest] is appropriately sized. If that's the case I think ocaml-x509 should be handling the truncation (though mirage-crypto-ec has the relevant [byte_length] information, which might need to be exposed to avoid code duplication / drift). I suppose one could change the behavior of [verify] to silently handle the truncation instead of failing, but am uncertain about the safety of doing so.
I don't have the arcana involved in convincing OpenSSL to mint such a certificate chain available. I'll try to sort that out and bump this issue with the test case, if you don't get to it first.
from ocaml-x509.
hannesm
commented on July 28, 2024
I indeed have a regression test in my ecdsa-long-digest branch, hannesm@396d67c
from ocaml-x509.
hannesm
commented on July 28, 2024
FWIW to generate a P256 key: openssl ecparam -out server.key -name secp256r1 -genkey
to generate a CA certificate using this key: openssl req -new -x509 -key server.key -out server.pem -days 360 -sha384 -addext keyUsage=keyCertSign
from ocaml-x509.
hannesm
commented on July 28, 2024
progress: mirage/mirage-crypto@844b059 adds byte_length to the Dsa module type in Mirage_crypto_ec.
EDIT: now PRed as mirage-crypto 0.10.7 (ocaml/opam-repository#22103)
from ocaml-x509.
hannesm
commented on July 28, 2024
see #159 for a test and fix. does this work for you?
from ocaml-x509.
torinnd
commented on July 28, 2024
I am not familiar enough with [Cstruct] to opine on the correctness of [Cstruct.sub] vs [Cstruct.take]. Naively I might've assumed it was always safe to call [Cstruct.take], but I expect this is semantically the same thing!
from ocaml-x509.
hannesm
commented on July 28, 2024
Cstruct.take is pretty new, and I have not used it anywhere ;) That's my reasoning for using Cstruct.sub (which has been around since ever) ;)
from ocaml-x509.
torinnd
commented on July 28, 2024
Oh, that only addresses the verify step. Did you look at whether signing works as well? Based on the MLI: "@raise Message_too_long if the bit size of [msg] exceeds the curve." it looks like there's the same problem around here:
Lines 106 to 112 in e87d4ba
from ocaml-x509.
hannesm
commented on July 28, 2024
I manually tested sign with a modified ocaml-certify and openssl locally, merged the PR and cut a release. Thanks again for opening this issue.
from ocaml-x509.
Related Issues (20)
- parsing pem from string HOT 2
- Incompatible with sexplib/ppx_sexp_conv v0.11.0 HOT 6
- API woes HOT 1
- Remove conflict with ppx_sexp_conv >= v0.11.1 HOT 3
- Invalid_argument "X509: failed to parse certificate" when using X509.Encoding.Pem.Certificate.of_pem_cstruct1 HOT 3
- Expose X509.Certificate.compare HOT 2
- Issues with the DN representation HOT 22
- Certificate verification allows dangerous algorithms HOT 8
- Why is Validation.trust_cert_fingerprint deprecated? HOT 3
- improve API (make it harder to use wrong) HOT 2
- feature: ed25519 support HOT 7
- feature: ed448 support HOT 1
- mirage-crypto 0.8.9 breaks regression test HOT 7
- feature: enhance Private_key module HOT 1
- Add hostnames: csr -> string list for obtaining list of domains of a csr. HOT 2
- Retrieving valid_from/valid_until from a certificate HOT 1
- missing `astring' in META HOT 2
- How to access some parts of a certificate HOT 1
- Cannot install due to dependency problem HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ocaml-x509.