W3C home > Mailing lists > Public > public-xg-webid@w3.org > November 2011

Re: rsa ontology in cert namespace

From: Mo McRoberts <mo.mcroberts@bbc.co.uk>
Date: Tue, 22 Nov 2011 18:32:49 +0000
Cc: Tim Berners-Lee <timbl@w3.org>, WebID XG <public-xg-webid@w3.org>
Message-Id: <6C52588B-790D-484A-94AD-AC621BE45660@bbc.co.uk>
To: Henry Story <henry.story@bblfish.net>

On 22 Nov 2011, at 17:54, Henry Story wrote:

> The only reason is that 
> 1. certificates tools tend to all display them in hex format, so that comparison is easier if one can do a quick comparison like that
> 2. there is no xsd:hexInteger and xsd:base64Integer - that is what we are all missing
> 3. it is a bit longer to write the numbers out in base 10
> 
> These are really silly issues, but we are kind of stuck with them. the xml-dsig people went to encode everything in base64. 

All understandable issues. I'd steer clear of base64  no tools will understand it.

> I tried coming up with cert:hex which looks nice, allows you to put peace symbols in your hex and does a lot of other cool things, but then we can't do a simple SPARQL ASK query because it is not standard. I am thinking here of large providers that would want their queries to be extremely efficient. 
> Do you have a DSA certificate? Then we can quickly look up how these are displayed in openssl and in keychains on different operating systems?

Here we go  bear with me. This is a complete transcript, including manually decoding the DER blobs:

% openssl dsaparam 2048 -out test.dsaparam
Generating DSA parameters, 2048 bit long prime
This could take some time
.....+.....+.............+...................+........+......+........+.+++++++++++++++++++++++++++++++++++++++++++++++++++*
....+.......+++++++++++++++++++++++++++++++++++++++++++++++++++*

% openssl asn1parse -in test.dsaparam
    0:d=0  hl=4 l= 544 cons: SEQUENCE          
    4:d=1  hl=4 l= 257 prim: INTEGER           :813B36F8B9B491C17F8C1BB0A99964E968346B821570F09D72ECD277C13411521EFF75539D860352A786538F8BBD2679146CC1301347D0405BD472745D9D6EBCF88AD8C45FEE6896393F1E6A8313AB9DAD9D7E10D998265F52F2EBE86BC29BAC429835DF3D889522C344B47FFE1ACD3E040EA712307297E7796E6656918CFB8496F433371684ABF55294FDFCEBEF8F02DA69DB0703AEDAF4C126FC7A2D044B90EA2A1BB710462375FE35D8776498B38BCA7070AB8CEB569456800AB912A30B5CBA23F9AEE81BDA52067BA5D7453B81BDA969FF2BF006B6879F2C6907303A68E0405283044A97850D73372B34359548254C3DB959C07F58F5D4E722E9C34D93AD
  265:d=1  hl=2 l=  21 prim: INTEGER           :92DC11288F468B60AD9837E11FE790058AD115FB
  288:d=1  hl=4 l= 256 prim: INTEGER           :7C510B45767862FA97BEE1835989A9D18E1B9C39DDAADFFF4D126FE755101DCF26B107E0482731BC2F1D6DE5F642E086B6E56C73FE76A5B09D03C1E6C3A4A87E20E58BF26F9F4026765BA83E10FA11E566D83DF0F84B1A57CB346DB42A0CB803559576ABEC09300BFD72F5782B40F925E05CC34A8D79D661CBB0BD7671E8D6261383FF733DF59030597E067FD28295F5CF053ADA89DB9BB134822D0E6F3A59C995D8434FE41D0F57BCB013CD4C1A3B8C82EA69C7988CB6FF034770716BAFA9F2BF7DF02EB780FD3CFEE98DBA965A2EA377FCDEDE202D89E8005BC419C536EBC3DB28019AFD05E47D0A1EBD6D3CE89DDC91CF9975F1AF4DF191D2F5B78A8287EE

% openssl gendsa -out test.dsa test.dsaparam
Generating DSA key, 2048 bits

% openssl asn1parse -in test.dsa
    0:d=0  hl=4 l= 829 cons: SEQUENCE          
    4:d=1  hl=2 l=   1 prim: INTEGER           :00
    7:d=1  hl=4 l= 257 prim: INTEGER           :813B36F8B9B491C17F8C1BB0A99964E968346B821570F09D72ECD277C13411521EFF75539D860352A786538F8BBD2679146CC1301347D0405BD472745D9D6EBCF88AD8C45FEE6896393F1E6A8313AB9DAD9D7E10D998265F52F2EBE86BC29BAC429835DF3D889522C344B47FFE1ACD3E040EA712307297E7796E6656918CFB8496F433371684ABF55294FDFCEBEF8F02DA69DB0703AEDAF4C126FC7A2D044B90EA2A1BB710462375FE35D8776498B38BCA7070AB8CEB569456800AB912A30B5CBA23F9AEE81BDA52067BA5D7453B81BDA969FF2BF006B6879F2C6907303A68E0405283044A97850D73372B34359548254C3DB959C07F58F5D4E722E9C34D93AD
  268:d=1  hl=2 l=  21 prim: INTEGER           :92DC11288F468B60AD9837E11FE790058AD115FB
  291:d=1  hl=4 l= 256 prim: INTEGER           :7C510B45767862FA97BEE1835989A9D18E1B9C39DDAADFFF4D126FE755101DCF26B107E0482731BC2F1D6DE5F642E086B6E56C73FE76A5B09D03C1E6C3A4A87E20E58BF26F9F4026765BA83E10FA11E566D83DF0F84B1A57CB346DB42A0CB803559576ABEC09300BFD72F5782B40F925E05CC34A8D79D661CBB0BD7671E8D6261383FF733DF59030597E067FD28295F5CF053ADA89DB9BB134822D0E6F3A59C995D8434FE41D0F57BCB013CD4C1A3B8C82EA69C7988CB6FF034770716BAFA9F2BF7DF02EB780FD3CFEE98DBA965A2EA377FCDEDE202D89E8005BC419C536EBC3DB28019AFD05E47D0A1EBD6D3CE89DDC91CF9975F1AF4DF191D2F5B78A8287EE
  551:d=1  hl=4 l= 256 prim: INTEGER           :7AA8A2899A04DCDF6C941E2AC3C1D4554837839C35D9C524BA117BEBB3B556666414FAB59461F48B5EFF81CA7D26250424DA181C04B3EB05D3FA4467649EC7753AD541A9B9988ABAF120B677D4F2895D73D007FAE1183E289D899BDC4B0F4C370B89B55BB24AA6E824AC9366CCF0BCEFC3137CD4EBC86A23EBAF5C14052FE2CA54ACEFA4BEBC34F911DD84F5749894216B313CA8B904D46A1B067C81EC521EA9F04465AD52E2CFBB430B1DBFFAC6F5F7DD892EFC8388B34589A2C9ADB0D7368C32EC3491645E92EDF24B81E5C3A69D4AB8BE89D9493DE8AAC489A684831A8B071DD24364FB99E09E70335140E8BCB088424EBBB2A1733BA52C6AEAEDC2471D6C
  811:d=1  hl=2 l=  20 prim: INTEGER           :25BC18532788D9FFD254BDC5058D37E43D7B87ED

% openssl dsa -in test.dsa -noout -modulus
read DSA key
Public Key=7AA8A2899A04DCDF6C941E2AC3C1D4554837839C35D9C524BA117BEBB3B556666414FAB59461F48B5EFF81CA7D26250424DA181C04B3EB05D3FA4467649EC7753AD541A9B9988ABAF120B677D4F2895D73D007FAE1183E289D899BDC4B0F4C370B89B55BB24AA6E824AC9366CCF0BCEFC3137CD4EBC86A23EBAF5C14052FE2CA54ACEFA4BEBC34F911DD84F5749894216B313CA8B904D46A1B067C81EC521EA9F04465AD52E2CFBB430B1DBFFAC6F5F7DD892EFC8388B34589A2C9ADB0D7368C32EC3491645E92EDF24B81E5C3A69D4AB8BE89D9493DE8AAC489A684831A8B071DD24364FB99E09E70335140E8BCB088424EBBB2A1733BA52C6AEAEDC2471D6C

% openssl dsa -in test.dsa -noout -text
read DSA key
Private-Key: (2048 bit)
priv:
    25:bc:18:53:27:88:d9:ff:d2:54:bd:c5:05:8d:37:
    e4:3d:7b:87:ed
pub: 
    7a:a8:a2:89:9a:04:dc:df:6c:94:1e:2a:c3:c1:d4:
    55:48:37:83:9c:35:d9:c5:24:ba:11:7b:eb:b3:b5:
    56:66:64:14:fa:b5:94:61:f4:8b:5e:ff:81:ca:7d:
    26:25:04:24:da:18:1c:04:b3:eb:05:d3:fa:44:67:
    64:9e:c7:75:3a:d5:41:a9:b9:98:8a:ba:f1:20:b6:
    77:d4:f2:89:5d:73:d0:07:fa:e1:18:3e:28:9d:89:
    9b:dc:4b:0f:4c:37:0b:89:b5:5b:b2:4a:a6:e8:24:
    ac:93:66:cc:f0:bc:ef:c3:13:7c:d4:eb:c8:6a:23:
    eb:af:5c:14:05:2f:e2:ca:54:ac:ef:a4:be:bc:34:
    f9:11:dd:84:f5:74:98:94:21:6b:31:3c:a8:b9:04:
    d4:6a:1b:06:7c:81:ec:52:1e:a9:f0:44:65:ad:52:
    e2:cf:bb:43:0b:1d:bf:fa:c6:f5:f7:dd:89:2e:fc:
    83:88:b3:45:89:a2:c9:ad:b0:d7:36:8c:32:ec:34:
    91:64:5e:92:ed:f2:4b:81:e5:c3:a6:9d:4a:b8:be:
    89:d9:49:3d:e8:aa:c4:89:a6:84:83:1a:8b:07:1d:
    d2:43:64:fb:99:e0:9e:70:33:51:40:e8:bc:b0:88:
    42:4e:bb:b2:a1:73:3b:a5:2c:6a:ea:ed:c2:47:1d:
    6c
P:   
    00:81:3b:36:f8:b9:b4:91:c1:7f:8c:1b:b0:a9:99:
    64:e9:68:34:6b:82:15:70:f0:9d:72:ec:d2:77:c1:
    34:11:52:1e:ff:75:53:9d:86:03:52:a7:86:53:8f:
    8b:bd:26:79:14:6c:c1:30:13:47:d0:40:5b:d4:72:
    74:5d:9d:6e:bc:f8:8a:d8:c4:5f:ee:68:96:39:3f:
    1e:6a:83:13:ab:9d:ad:9d:7e:10:d9:98:26:5f:52:
    f2:eb:e8:6b:c2:9b:ac:42:98:35:df:3d:88:95:22:
    c3:44:b4:7f:fe:1a:cd:3e:04:0e:a7:12:30:72:97:
    e7:79:6e:66:56:91:8c:fb:84:96:f4:33:37:16:84:
    ab:f5:52:94:fd:fc:eb:ef:8f:02:da:69:db:07:03:
    ae:da:f4:c1:26:fc:7a:2d:04:4b:90:ea:2a:1b:b7:
    10:46:23:75:fe:35:d8:77:64:98:b3:8b:ca:70:70:
    ab:8c:eb:56:94:56:80:0a:b9:12:a3:0b:5c:ba:23:
    f9:ae:e8:1b:da:52:06:7b:a5:d7:45:3b:81:bd:a9:
    69:ff:2b:f0:06:b6:87:9f:2c:69:07:30:3a:68:e0:
    40:52:83:04:4a:97:85:0d:73:37:2b:34:35:95:48:
    25:4c:3d:b9:59:c0:7f:58:f5:d4:e7:22:e9:c3:4d:
    93:ad
Q:   
    00:92:dc:11:28:8f:46:8b:60:ad:98:37:e1:1f:e7:
    90:05:8a:d1:15:fb
G:   
    7c:51:0b:45:76:78:62:fa:97:be:e1:83:59:89:a9:
    d1:8e:1b:9c:39:dd:aa:df:ff:4d:12:6f:e7:55:10:
    1d:cf:26:b1:07:e0:48:27:31:bc:2f:1d:6d:e5:f6:
    42:e0:86:b6:e5:6c:73:fe:76:a5:b0:9d:03:c1:e6:
    c3:a4:a8:7e:20:e5:8b:f2:6f:9f:40:26:76:5b:a8:
    3e:10:fa:11:e5:66:d8:3d:f0:f8:4b:1a:57:cb:34:
    6d:b4:2a:0c:b8:03:55:95:76:ab:ec:09:30:0b:fd:
    72:f5:78:2b:40:f9:25:e0:5c:c3:4a:8d:79:d6:61:
    cb:b0:bd:76:71:e8:d6:26:13:83:ff:73:3d:f5:90:
    30:59:7e:06:7f:d2:82:95:f5:cf:05:3a:da:89:db:
    9b:b1:34:82:2d:0e:6f:3a:59:c9:95:d8:43:4f:e4:
    1d:0f:57:bc:b0:13:cd:4c:1a:3b:8c:82:ea:69:c7:
    98:8c:b6:ff:03:47:70:71:6b:af:a9:f2:bf:7d:f0:
    2e:b7:80:fd:3c:fe:e9:8d:ba:96:5a:2e:a3:77:fc:
    de:de:20:2d:89:e8:00:5b:c4:19:c5:36:eb:c3:db:
    28:01:9a:fd:05:e4:7d:0a:1e:bd:6d:3c:e8:9d:dc:
    91:cf:99:75:f1:af:4d:f1:91:d2:f5:b7:8a:82:87:
    ee

% openssl req -new -x509 -key test.dsa -out test.pem 
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:
Email Address []:

% openssl x509 -in test.pem -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            e9:4d:26:8f:ee:21:4e:82
        Signature Algorithm: dsaWithSHA1
        Issuer: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd
        Validity
            Not Before: Nov 22 18:15:50 2011 GMT
            Not After : Dec 22 18:15:50 2011 GMT
        Subject: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd
        Subject Public Key Info:
            Public Key Algorithm: dsaEncryption
            DSA Public Key:
                pub: 
                    7a:a8:a2:89:9a:04:dc:df:6c:94:1e:2a:c3:c1:d4:
                    55:48:37:83:9c:35:d9:c5:24:ba:11:7b:eb:b3:b5:
                    56:66:64:14:fa:b5:94:61:f4:8b:5e:ff:81:ca:7d:
                    26:25:04:24:da:18:1c:04:b3:eb:05:d3:fa:44:67:
                    64:9e:c7:75:3a:d5:41:a9:b9:98:8a:ba:f1:20:b6:
                    77:d4:f2:89:5d:73:d0:07:fa:e1:18:3e:28:9d:89:
                    9b:dc:4b:0f:4c:37:0b:89:b5:5b:b2:4a:a6:e8:24:
                    ac:93:66:cc:f0:bc:ef:c3:13:7c:d4:eb:c8:6a:23:
                    eb:af:5c:14:05:2f:e2:ca:54:ac:ef:a4:be:bc:34:
                    f9:11:dd:84:f5:74:98:94:21:6b:31:3c:a8:b9:04:
                    d4:6a:1b:06:7c:81:ec:52:1e:a9:f0:44:65:ad:52:
                    e2:cf:bb:43:0b:1d:bf:fa:c6:f5:f7:dd:89:2e:fc:
                    83:88:b3:45:89:a2:c9:ad:b0:d7:36:8c:32:ec:34:
                    91:64:5e:92:ed:f2:4b:81:e5:c3:a6:9d:4a:b8:be:
                    89:d9:49:3d:e8:aa:c4:89:a6:84:83:1a:8b:07:1d:
                    d2:43:64:fb:99:e0:9e:70:33:51:40:e8:bc:b0:88:
                    42:4e:bb:b2:a1:73:3b:a5:2c:6a:ea:ed:c2:47:1d:
                    6c
                P:   
                    00:81:3b:36:f8:b9:b4:91:c1:7f:8c:1b:b0:a9:99:
                    64:e9:68:34:6b:82:15:70:f0:9d:72:ec:d2:77:c1:
                    34:11:52:1e:ff:75:53:9d:86:03:52:a7:86:53:8f:
                    8b:bd:26:79:14:6c:c1:30:13:47:d0:40:5b:d4:72:
                    74:5d:9d:6e:bc:f8:8a:d8:c4:5f:ee:68:96:39:3f:
                    1e:6a:83:13:ab:9d:ad:9d:7e:10:d9:98:26:5f:52:
                    f2:eb:e8:6b:c2:9b:ac:42:98:35:df:3d:88:95:22:
                    c3:44:b4:7f:fe:1a:cd:3e:04:0e:a7:12:30:72:97:
                    e7:79:6e:66:56:91:8c:fb:84:96:f4:33:37:16:84:
                    ab:f5:52:94:fd:fc:eb:ef:8f:02:da:69:db:07:03:
                    ae:da:f4:c1:26:fc:7a:2d:04:4b:90:ea:2a:1b:b7:
                    10:46:23:75:fe:35:d8:77:64:98:b3:8b:ca:70:70:
                    ab:8c:eb:56:94:56:80:0a:b9:12:a3:0b:5c:ba:23:
                    f9:ae:e8:1b:da:52:06:7b:a5:d7:45:3b:81:bd:a9:
                    69:ff:2b:f0:06:b6:87:9f:2c:69:07:30:3a:68:e0:
                    40:52:83:04:4a:97:85:0d:73:37:2b:34:35:95:48:
                    25:4c:3d:b9:59:c0:7f:58:f5:d4:e7:22:e9:c3:4d:
                    93:ad
                Q:   
                    00:92:dc:11:28:8f:46:8b:60:ad:98:37:e1:1f:e7:
                    90:05:8a:d1:15:fb
                G:   
                    7c:51:0b:45:76:78:62:fa:97:be:e1:83:59:89:a9:
                    d1:8e:1b:9c:39:dd:aa:df:ff:4d:12:6f:e7:55:10:
                    1d:cf:26:b1:07:e0:48:27:31:bc:2f:1d:6d:e5:f6:
                    42:e0:86:b6:e5:6c:73:fe:76:a5:b0:9d:03:c1:e6:
                    c3:a4:a8:7e:20:e5:8b:f2:6f:9f:40:26:76:5b:a8:
                    3e:10:fa:11:e5:66:d8:3d:f0:f8:4b:1a:57:cb:34:
                    6d:b4:2a:0c:b8:03:55:95:76:ab:ec:09:30:0b:fd:
                    72:f5:78:2b:40:f9:25:e0:5c:c3:4a:8d:79:d6:61:
                    cb:b0:bd:76:71:e8:d6:26:13:83:ff:73:3d:f5:90:
                    30:59:7e:06:7f:d2:82:95:f5:cf:05:3a:da:89:db:
                    9b:b1:34:82:2d:0e:6f:3a:59:c9:95:d8:43:4f:e4:
                    1d:0f:57:bc:b0:13:cd:4c:1a:3b:8c:82:ea:69:c7:
                    98:8c:b6:ff:03:47:70:71:6b:af:a9:f2:bf:7d:f0:
                    2e:b7:80:fd:3c:fe:e9:8d:ba:96:5a:2e:a3:77:fc:
                    de:de:20:2d:89:e8:00:5b:c4:19:c5:36:eb:c3:db:
                    28:01:9a:fd:05:e4:7d:0a:1e:bd:6d:3c:e8:9d:dc:
                    91:cf:99:75:f1:af:4d:f1:91:d2:f5:b7:8a:82:87:
                    ee
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                3E:F0:AD:08:81:CE:0D:C3:2F:F2:F1:FB:BB:49:2A:BD:7F:61:86:71
            X509v3 Authority Key Identifier: 
                keyid:3E:F0:AD:08:81:CE:0D:C3:2F:F2:F1:FB:BB:49:2A:BD:7F:61:86:71
                DirName:/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd
                serial:E9:4D:26:8F:EE:21:4E:82

            X509v3 Basic Constraints: 
                CA:TRUE
    Signature Algorithm: dsaWithSHA1
        30:2c:02:14:18:4b:d1:a2:39:8e:73:69:52:ad:1e:ad:2b:8b:
        01:94:4c:8c:a9:79:02:14:10:ec:76:c3:39:d4:c0:ef:65:4d:
        c2:7d:6f:d6:07:f4:59:aa:e9:7c

% openssl asn1parse -in test.pem
    0:d=0  hl=4 l=1265 cons: SEQUENCE          
    4:d=1  hl=4 l=1201 cons: SEQUENCE          
    8:d=2  hl=2 l=   3 cons: cont [ 0 ]        
   10:d=3  hl=2 l=   1 prim: INTEGER           :02
   13:d=2  hl=2 l=   9 prim: INTEGER           :E94D268FEE214E82
   24:d=2  hl=2 l=   9 cons: SEQUENCE          
   26:d=3  hl=2 l=   7 prim: OBJECT            :dsaWithSHA1
   35:d=2  hl=2 l=  69 cons: SEQUENCE          
   37:d=3  hl=2 l=  11 cons: SET               
   39:d=4  hl=2 l=   9 cons: SEQUENCE          
   41:d=5  hl=2 l=   3 prim: OBJECT            :countryName
   46:d=5  hl=2 l=   2 prim: PRINTABLESTRING   :AU
   50:d=3  hl=2 l=  19 cons: SET               
   52:d=4  hl=2 l=  17 cons: SEQUENCE          
   54:d=5  hl=2 l=   3 prim: OBJECT            :stateOrProvinceName
   59:d=5  hl=2 l=  10 prim: PRINTABLESTRING   :Some-State
   71:d=3  hl=2 l=  33 cons: SET               
   73:d=4  hl=2 l=  31 cons: SEQUENCE          
   75:d=5  hl=2 l=   3 prim: OBJECT            :organizationName
   80:d=5  hl=2 l=  24 prim: PRINTABLESTRING   :Internet Widgits Pty Ltd
  106:d=2  hl=2 l=  30 cons: SEQUENCE          
  108:d=3  hl=2 l=  13 prim: UTCTIME           :111122181550Z
  123:d=3  hl=2 l=  13 prim: UTCTIME           :111222181550Z
  138:d=2  hl=2 l=  69 cons: SEQUENCE          
  140:d=3  hl=2 l=  11 cons: SET               
  142:d=4  hl=2 l=   9 cons: SEQUENCE          
  144:d=5  hl=2 l=   3 prim: OBJECT            :countryName
  149:d=5  hl=2 l=   2 prim: PRINTABLESTRING   :AU
  153:d=3  hl=2 l=  19 cons: SET               
  155:d=4  hl=2 l=  17 cons: SEQUENCE          
  157:d=5  hl=2 l=   3 prim: OBJECT            :stateOrProvinceName
  162:d=5  hl=2 l=  10 prim: PRINTABLESTRING   :Some-State
  174:d=3  hl=2 l=  33 cons: SET               
  176:d=4  hl=2 l=  31 cons: SEQUENCE          
  178:d=5  hl=2 l=   3 prim: OBJECT            :organizationName
  183:d=5  hl=2 l=  24 prim: PRINTABLESTRING   :Internet Widgits Pty Ltd
  209:d=2  hl=4 l= 826 cons: SEQUENCE          
  213:d=3  hl=4 l= 557 cons: SEQUENCE          
  217:d=4  hl=2 l=   7 prim: OBJECT            :dsaEncryption
  226:d=4  hl=4 l= 544 cons: SEQUENCE          
  230:d=5  hl=4 l= 257 prim: INTEGER           :813B36F8B9B491C17F8C1BB0A99964E968346B821570F09D72ECD277C13411521EFF75539D860352A786538F8BBD2679146CC1301347D0405BD472745D9D6EBCF88AD8C45FEE6896393F1E6A8313AB9DAD9D7E10D998265F52F2EBE86BC29BAC429835DF3D889522C344B47FFE1ACD3E040EA712307297E7796E6656918CFB8496F433371684ABF55294FDFCEBEF8F02DA69DB0703AEDAF4C126FC7A2D044B90EA2A1BB710462375FE35D8776498B38BCA7070AB8CEB569456800AB912A30B5CBA23F9AEE81BDA52067BA5D7453B81BDA969FF2BF006B6879F2C6907303A68E0405283044A97850D73372B34359548254C3DB959C07F58F5D4E722E9C34D93AD
  491:d=5  hl=2 l=  21 prim: INTEGER           :92DC11288F468B60AD9837E11FE790058AD115FB
  514:d=5  hl=4 l= 256 prim: INTEGER           :7C510B45767862FA97BEE1835989A9D18E1B9C39DDAADFFF4D126FE755101DCF26B107E0482731BC2F1D6DE5F642E086B6E56C73FE76A5B09D03C1E6C3A4A87E20E58BF26F9F4026765BA83E10FA11E566D83DF0F84B1A57CB346DB42A0CB803559576ABEC09300BFD72F5782B40F925E05CC34A8D79D661CBB0BD7671E8D6261383FF733DF59030597E067FD28295F5CF053ADA89DB9BB134822D0E6F3A59C995D8434FE41D0F57BCB013CD4C1A3B8C82EA69C7988CB6FF034770716BAFA9F2BF7DF02EB780FD3CFEE98DBA965A2EA377FCDEDE202D89E8005BC419C536EBC3DB28019AFD05E47D0A1EBD6D3CE89DDC91CF9975F1AF4DF191D2F5B78A8287EE
  774:d=3  hl=4 l= 261 prim: BIT STRING        
 1039:d=2  hl=3 l= 167 cons: cont [ 3 ]        
 1042:d=3  hl=3 l= 164 cons: SEQUENCE          
 1045:d=4  hl=2 l=  29 cons: SEQUENCE          
 1047:d=5  hl=2 l=   3 prim: OBJECT            :X509v3 Subject Key Identifier
 1052:d=5  hl=2 l=  22 prim: OCTET STRING      [HEX DUMP]:04143EF0AD0881CE0DC32FF2F1FBBB492ABD7F618671
 1076:d=4  hl=2 l= 117 cons: SEQUENCE          
 1078:d=5  hl=2 l=   3 prim: OBJECT            :X509v3 Authority Key Identifier
 1083:d=5  hl=2 l= 110 prim: OCTET STRING      [HEX DUMP]:306C80143EF0AD0881CE0DC32FF2F1FBBB492ABD7F618671A149A4473045310B3009060355040613024155311330110603550408130A536F6D652D53746174653121301F060355040A1318496E7465726E6574205769646769747320507479204C7464820900E94D268FEE214E82
 1195:d=4  hl=2 l=  12 cons: SEQUENCE          
 1197:d=5  hl=2 l=   3 prim: OBJECT            :X509v3 Basic Constraints
 1202:d=5  hl=2 l=   5 prim: OCTET STRING      [HEX DUMP]:30030101FF
 1209:d=1  hl=2 l=   9 cons: SEQUENCE          
 1211:d=2  hl=2 l=   7 prim: OBJECT            :dsaWithSHA1
 1220:d=1  hl=2 l=  47 prim: BIT STRING      

## In the above, the DSA parameters (P, Q, and G) are dumped verbatim as they're first-order ASN.1 objects within the optional 'parameters' member of the public key structure (certificates containing RSA keys don't contain any parameters, so you never see this with those). The data portion of that structure is a bit-string containing a DER-encoded blob of the key data itself (because we know it's DER-encoded, we can ask OpenSSL to decode it, below). 

## With DSA, this is just a DER-encoded integer:

% openssl asn1parse -in test.pem -strparse 774 
    0:d=0  hl=4 l= 256 prim: INTEGER           :7AA8A2899A04DCDF6C941E2AC3C1D4554837839C35D9C524BA117BEBB3B556666414FAB59461F48B5EFF81CA7D26250424DA181C04B3EB05D3FA4467649EC7753AD541A9B9988ABAF120B677D4F2895D73D007FAE1183E289D899BDC4B0F4C370B89B55BB24AA6E824AC9366CCF0BCEFC3137CD4EBC86A23EBAF5C14052FE2CA54ACEFA4BEBC34F911DD84F5749894216B313CA8B904D46A1B067C81EC521EA9F04465AD52E2CFBB430B1DBFFAC6F5F7DD892EFC8388B34589A2C9ADB0D7368C32EC3491645E92EDF24B81E5C3A69D4AB8BE89D9493DE8AAC489A684831A8B071DD24364FB99E09E70335140E8BCB088424EBBB2A1733BA52C6AEAEDC2471D6C

## With RSA in a cert instead, things are very similar (note the NULL where DSA has a SEQUENCE of parameters):

% openssl asn1parse -in test-rsa.pem 
    0:d=0  hl=4 l= 949 cons: SEQUENCE          
    4:d=1  hl=4 l= 669 cons: SEQUENCE          
    8:d=2  hl=2 l=   3 cons: cont [ 0 ]        
   10:d=3  hl=2 l=   1 prim: INTEGER           :02
   13:d=2  hl=2 l=   9 prim: INTEGER           :B29EC7E7902C3588
   24:d=2  hl=2 l=  13 cons: SEQUENCE          
   26:d=3  hl=2 l=   9 prim: OBJECT            :sha1WithRSAEncryption
   37:d=3  hl=2 l=   0 prim: NULL              
   39:d=2  hl=2 l=  69 cons: SEQUENCE          
   41:d=3  hl=2 l=  11 cons: SET               
   43:d=4  hl=2 l=   9 cons: SEQUENCE          
   45:d=5  hl=2 l=   3 prim: OBJECT            :countryName
   50:d=5  hl=2 l=   2 prim: PRINTABLESTRING   :AU
   54:d=3  hl=2 l=  19 cons: SET               
   56:d=4  hl=2 l=  17 cons: SEQUENCE          
   58:d=5  hl=2 l=   3 prim: OBJECT            :stateOrProvinceName
   63:d=5  hl=2 l=  10 prim: PRINTABLESTRING   :Some-State
   75:d=3  hl=2 l=  33 cons: SET               
   77:d=4  hl=2 l=  31 cons: SEQUENCE          
   79:d=5  hl=2 l=   3 prim: OBJECT            :organizationName
   84:d=5  hl=2 l=  24 prim: PRINTABLESTRING   :Internet Widgits Pty Ltd
  110:d=2  hl=2 l=  30 cons: SEQUENCE          
  112:d=3  hl=2 l=  13 prim: UTCTIME           :111122182703Z
  127:d=3  hl=2 l=  13 prim: UTCTIME           :111222182703Z
  142:d=2  hl=2 l=  69 cons: SEQUENCE          
  144:d=3  hl=2 l=  11 cons: SET               
  146:d=4  hl=2 l=   9 cons: SEQUENCE          
  148:d=5  hl=2 l=   3 prim: OBJECT            :countryName
  153:d=5  hl=2 l=   2 prim: PRINTABLESTRING   :AU
  157:d=3  hl=2 l=  19 cons: SET               
  159:d=4  hl=2 l=  17 cons: SEQUENCE          
  161:d=5  hl=2 l=   3 prim: OBJECT            :stateOrProvinceName
  166:d=5  hl=2 l=  10 prim: PRINTABLESTRING   :Some-State
  178:d=3  hl=2 l=  33 cons: SET               
  180:d=4  hl=2 l=  31 cons: SEQUENCE          
  182:d=5  hl=2 l=   3 prim: OBJECT            :organizationName
  187:d=5  hl=2 l=  24 prim: PRINTABLESTRING   :Internet Widgits Pty Ltd
  213:d=2  hl=4 l= 290 cons: SEQUENCE          
  217:d=3  hl=2 l=  13 cons: SEQUENCE          
  219:d=4  hl=2 l=   9 prim: OBJECT            :rsaEncryption
  230:d=4  hl=2 l=   0 prim: NULL              
  232:d=3  hl=4 l= 271 prim: BIT STRING        
  507:d=2  hl=3 l= 167 cons: cont [ 3 ]        
  510:d=3  hl=3 l= 164 cons: SEQUENCE          
  513:d=4  hl=2 l=  29 cons: SEQUENCE          
  515:d=5  hl=2 l=   3 prim: OBJECT            :X509v3 Subject Key Identifier
  520:d=5  hl=2 l=  22 prim: OCTET STRING      [HEX DUMP]:04145753D561FA5280577E94A61A18F77285225FBE1D
  544:d=4  hl=2 l= 117 cons: SEQUENCE          
  546:d=5  hl=2 l=   3 prim: OBJECT            :X509v3 Authority Key Identifier
  551:d=5  hl=2 l= 110 prim: OCTET STRING      [HEX DUMP]:306C80145753D561FA5280577E94A61A18F77285225FBE1DA149A4473045310B3009060355040613024155311330110603550408130A536F6D652D53746174653121301F060355040A1318496E7465726E6574205769646769747320507479204C7464820900B29EC7E7902C3588
  663:d=4  hl=2 l=  12 cons: SEQUENCE          
  665:d=5  hl=2 l=   3 prim: OBJECT            :X509v3 Basic Constraints
  670:d=5  hl=2 l=   5 prim: OCTET STRING      [HEX DUMP]:30030101FF
  677:d=1  hl=2 l=  13 cons: SEQUENCE          
  679:d=2  hl=2 l=   9 prim: OBJECT            :sha1WithRSAEncryption
  690:d=2  hl=2 l=   0 prim: NULL              
  692:d=1  hl=4 l= 257 prim: BIT STRING        

## Dumping the bit-string containing the key data for RSA gives us the structure (where DSA just has the INTEGER):

% openssl asn1parse -in test-rsa.pem -strparse 232
    0:d=0  hl=4 l= 266 cons: SEQUENCE          
    4:d=1  hl=4 l= 257 prim: INTEGER           :CBB55A0C161C6FBD185EEC0F067DFCC1F13378F02E621530EB0B612BE651D845ECA3D91B69498EBF2B076DDEA7375C505445E42279D6E77179B7CBED12C41405333D9744920EFC21A28A8314182FDEFF69E55F7B44014FA401F10F61E7012F923787EF1F2ED919EBDA0D910DD087572E4A573A28DD3278171F1593B516DF8EBF1B7B048BEDC8C61061362C50D4D705554F1B2DC60226EC2C49784C14827EC57BB32E58C1F8E24ECC6636ACA0EAB4982AE814CD67B1BC6A1E9F1AEAB2572E568F409E0D6851B7B85EA14330A5B0CBD91F3CA83E229C110E03FEFF6EAB9297DD99AFDB257F60A4680E147C4776C7B44EDD03987B652493C09D57D85A715CC8320F
  265:d=1  hl=2 l=   3 prim: INTEGER           :010001

Everything else I can throw it into (beyond home-grown tools) represents as hex too.

If we're going to settle on *one thing*, which by the sounds of it is sensible, make it xsd:hexBinary IMO.

> Ah ok. Again I think that ECC has a problem that there are ways to write out the same key (i.e., many different numbers), which means that one would have to be more careful in specifying how to do matches. I am pretty sure this is not the case with RSA, though I am not sure with DSA.

Hmm, okay. I need to do more research into ECC. I don't *believe* DSA suffers from the same, but I could well be wrong.

M.

-- 
Mo McRoberts - Technical Lead - The Space,
0141 422 6036 (Internal: 01-26036) - PGP key CEBCF03E,
Project Office: Room 7083, BBC Television Centre, London W12 7RJ
Received on Tuesday, 22 November 2011 18:33:14 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 22 November 2011 18:33:15 GMT