Keytool does not agree with RFC 8410
Anders Rundgren
anders.rundgren.net at gmail.com
Mon Feb 1 07:32:20 UTC 2021
On 2021-01-31 20:00, Wei-Jun Wang wrote:
> https://bugs.openjdk.java.net/browse/JDK-8260693 filed.
Thanx!
In the bug report you also write:
We'll also need a way to generate this kind of certificate (or certreq).
There is no signature algorithm on XDH and we need to use EdDSA instead.
See https://tools.ietf.org/html/rfc8410#section-10.2.
AFAIK there is no standard for CSRs for encryption keys. You need to use a signature key that sort of vouches for the enclosed public key. This key may use any valid signature algorithm.
As a side note, my own applications use a key container attestation key for *all* CSRs which is a more useful method than self-signed CSRs.
Regards,
Anders
>
> Thanks,
> Max
>
>> On Jan 31, 2021, at 2:12 AM, Anders Rundgren <anders.rundgren.net at gmail.com> wrote:
>>
>> Since the JDK bug report tool does not include "keytool" I posted this here.
>>
>> Keytool for JDK 15 reports "Subject Public Key Algorithm: XDH key of unknown size" for a certificate containing the following public key:
>>
>> 148: SEQUENCE {
>> 150: SEQUENCE {
>> 152: OBJECT IDENTIFIER X25519 (1.3.101.110)
>> }
>> 157: BIT STRING, 32 bytes
>> 0000: a3 5e 94 ef bd d0 41 86 90 07 87 9e 80 d0 a5 76 '.^....A........v'
>> 0010: 0e a1 ba 82 19 2e c3 90 21 89 05 5a f6 d9 e6 50 '........!..Z...P'
>> }
>>
>> which seems to be aligned with: https://tools.ietf.org/html/rfc8410#section-10.2
>>
>> You can verify this issue by importing the certificate in the RFC.
>>
>> Anders
>
More information about the security-dev
mailing list