keytool generates incorrect EC AlgorithmIdentifier

Sean Mullan sean.mullan at oracle.com
Tue Aug 25 20:35:09 UTC 2020


On 8/25/20 12:33 PM, Anders Rundgren wrote:
> The command
>   keytool -genkeypair -keyalg ec -keysize 256 -dname "CN=me" -keystore 
> mycert.jks
> using JDK 11 generates the following signature:
> 
> 220:     SEQUENCE
>             {
> 222:         OBJECT IDENTIFIER ecdsa-with-Sha256 (1.2.840.10045.4.3.2)
> 232:         NULL
>             }
> 234:     BIT STRING, encapsulates
>             {
> 237:         SEQUENCE
>                 {
> 239:             INTEGER
>                     71 51 7a 19 ac 22 92 ef 3b 6d f8 1c 5f d6 5f 89
>                     3f 69 bf 84 aa ac a3 00 fb 3e 31 ef 3f b3 ea b4
> 273:             INTEGER
>                     1a 07 d1 24 fd b8 1d c8 70 ca 0d ab 35 b1 d0 d5
>                     b6 e2 b7 d7 02 38 36 63 d6 db ff ea 7f f0 7d a9
>                 }
>             }
>         }
> 
> AFAICT, "NULL" shouldn't be there although it in practice seems to be 
> benign
> I could be an idea to fix it for EdDSA which I guess suffers from the 
> same problem.
> 
> https://tools.ietf.org/html/rfc5758#section-3.2

Right. The RFC says:

    When the ecdsa-with-SHA224, ecdsa-with-SHA256, ecdsa-with-SHA384, or
    ecdsa-with-SHA512 algorithm identifier appears in the algorithm field
    as an AlgorithmIdentifier, the encoding MUST omit the parameters
    field.

I'll file a bug.

Did you test EdDSA? Looking at the latest JDK code, I see that EdDSA 
does not include NULL.

--Sean


More information about the security-dev mailing list