- From: Mo McRoberts <mo.mcroberts@bbc.co.uk>
- Date: Tue, 22 Nov 2011 18:32:49 +0000
- To: Henry Story <henry.story@bblfish.net>
- Cc: Tim Berners-Lee <timbl@w3.org>, WebID XG <public-xg-webid@w3.org>
On 22 Nov 2011, at 17:54, Henry Story wrote:
> The only reason is that
> 1. certificates tools tend to all display them in hex format, so that comparison is easier if one can do a quick comparison like that
> 2. there is no xsd:hexInteger and xsd:base64Integer - that is what we are all missing
> 3. it is a bit longer to write the numbers out in base 10
>
> These are really silly issues, but we are kind of stuck with them. the xml-dsig people went to encode everything in base64.
All understandable issues. I'd steer clear of base64 — no tools will understand it.
> I tried coming up with cert:hex which looks nice, allows you to put peace symbols in your hex and does a lot of other cool things, but then we can't do a simple SPARQL ASK query because it is not standard. I am thinking here of large providers that would want their queries to be extremely efficient.
> Do you have a DSA certificate? Then we can quickly look up how these are displayed in openssl and in keychains on different operating systems?
Here we go — bear with me. This is a complete transcript, including manually decoding the DER blobs:
% openssl dsaparam 2048 -out test.dsaparam
Generating DSA parameters, 2048 bit long prime
This could take some time
.....+.....+.............+...................+........+......+........+.+++++++++++++++++++++++++++++++++++++++++++++++++++*
....+.......+++++++++++++++++++++++++++++++++++++++++++++++++++*
% openssl asn1parse -in test.dsaparam
0:d=0 hl=4 l= 544 cons: SEQUENCE
4:d=1 hl=4 l= 257 prim: INTEGER :813B36F8B9B491C17F8C1BB0A99964E968346B821570F09D72ECD277C13411521EFF75539D860352A786538F8BBD2679146CC1301347D0405BD472745D9D6EBCF88AD8C45FEE6896393F1E6A8313AB9DAD9D7E10D998265F52F2EBE86BC29BAC429835DF3D889522C344B47FFE1ACD3E040EA712307297E7796E6656918CFB8496F433371684ABF55294FDFCEBEF8F02DA69DB0703AEDAF4C126FC7A2D044B90EA2A1BB710462375FE35D8776498B38BCA7070AB8CEB569456800AB912A30B5CBA23F9AEE81BDA52067BA5D7453B81BDA969FF2BF006B6879F2C6907303A68E0405283044A97850D73372B34359548254C3DB959C07F58F5D4E722E9C34D93AD
265:d=1 hl=2 l= 21 prim: INTEGER :92DC11288F468B60AD9837E11FE790058AD115FB
288:d=1 hl=4 l= 256 prim: INTEGER :7C510B45767862FA97BEE1835989A9D18E1B9C39DDAADFFF4D126FE755101DCF26B107E0482731BC2F1D6DE5F642E086B6E56C73FE76A5B09D03C1E6C3A4A87E20E58BF26F9F4026765BA83E10FA11E566D83DF0F84B1A57CB346DB42A0CB803559576ABEC09300BFD72F5782B40F925E05CC34A8D79D661CBB0BD7671E8D6261383FF733DF59030597E067FD28295F5CF053ADA89DB9BB134822D0E6F3A59C995D8434FE41D0F57BCB013CD4C1A3B8C82EA69C7988CB6FF034770716BAFA9F2BF7DF02EB780FD3CFEE98DBA965A2EA377FCDEDE202D89E8005BC419C536EBC3DB28019AFD05E47D0A1EBD6D3CE89DDC91CF9975F1AF4DF191D2F5B78A8287EE
% openssl gendsa -out test.dsa test.dsaparam
Generating DSA key, 2048 bits
% openssl asn1parse -in test.dsa
0:d=0 hl=4 l= 829 cons: SEQUENCE
4:d=1 hl=2 l= 1 prim: INTEGER :00
7:d=1 hl=4 l= 257 prim: INTEGER :813B36F8B9B491C17F8C1BB0A99964E968346B821570F09D72ECD277C13411521EFF75539D860352A786538F8BBD2679146CC1301347D0405BD472745D9D6EBCF88AD8C45FEE6896393F1E6A8313AB9DAD9D7E10D998265F52F2EBE86BC29BAC429835DF3D889522C344B47FFE1ACD3E040EA712307297E7796E6656918CFB8496F433371684ABF55294FDFCEBEF8F02DA69DB0703AEDAF4C126FC7A2D044B90EA2A1BB710462375FE35D8776498B38BCA7070AB8CEB569456800AB912A30B5CBA23F9AEE81BDA52067BA5D7453B81BDA969FF2BF006B6879F2C6907303A68E0405283044A97850D73372B34359548254C3DB959C07F58F5D4E722E9C34D93AD
268:d=1 hl=2 l= 21 prim: INTEGER :92DC11288F468B60AD9837E11FE790058AD115FB
291:d=1 hl=4 l= 256 prim: INTEGER :7C510B45767862FA97BEE1835989A9D18E1B9C39DDAADFFF4D126FE755101DCF26B107E0482731BC2F1D6DE5F642E086B6E56C73FE76A5B09D03C1E6C3A4A87E20E58BF26F9F4026765BA83E10FA11E566D83DF0F84B1A57CB346DB42A0CB803559576ABEC09300BFD72F5782B40F925E05CC34A8D79D661CBB0BD7671E8D6261383FF733DF59030597E067FD28295F5CF053ADA89DB9BB134822D0E6F3A59C995D8434FE41D0F57BCB013CD4C1A3B8C82EA69C7988CB6FF034770716BAFA9F2BF7DF02EB780FD3CFEE98DBA965A2EA377FCDEDE202D89E8005BC419C536EBC3DB28019AFD05E47D0A1EBD6D3CE89DDC91CF9975F1AF4DF191D2F5B78A8287EE
551:d=1 hl=4 l= 256 prim: INTEGER :7AA8A2899A04DCDF6C941E2AC3C1D4554837839C35D9C524BA117BEBB3B556666414FAB59461F48B5EFF81CA7D26250424DA181C04B3EB05D3FA4467649EC7753AD541A9B9988ABAF120B677D4F2895D73D007FAE1183E289D899BDC4B0F4C370B89B55BB24AA6E824AC9366CCF0BCEFC3137CD4EBC86A23EBAF5C14052FE2CA54ACEFA4BEBC34F911DD84F5749894216B313CA8B904D46A1B067C81EC521EA9F04465AD52E2CFBB430B1DBFFAC6F5F7DD892EFC8388B34589A2C9ADB0D7368C32EC3491645E92EDF24B81E5C3A69D4AB8BE89D9493DE8AAC489A684831A8B071DD24364FB99E09E70335140E8BCB088424EBBB2A1733BA52C6AEAEDC2471D6C
811:d=1 hl=2 l= 20 prim: INTEGER :25BC18532788D9FFD254BDC5058D37E43D7B87ED
% openssl dsa -in test.dsa -noout -modulus
read DSA key
Public Key=7AA8A2899A04DCDF6C941E2AC3C1D4554837839C35D9C524BA117BEBB3B556666414FAB59461F48B5EFF81CA7D26250424DA181C04B3EB05D3FA4467649EC7753AD541A9B9988ABAF120B677D4F2895D73D007FAE1183E289D899BDC4B0F4C370B89B55BB24AA6E824AC9366CCF0BCEFC3137CD4EBC86A23EBAF5C14052FE2CA54ACEFA4BEBC34F911DD84F5749894216B313CA8B904D46A1B067C81EC521EA9F04465AD52E2CFBB430B1DBFFAC6F5F7DD892EFC8388B34589A2C9ADB0D7368C32EC3491645E92EDF24B81E5C3A69D4AB8BE89D9493DE8AAC489A684831A8B071DD24364FB99E09E70335140E8BCB088424EBBB2A1733BA52C6AEAEDC2471D6C
% openssl dsa -in test.dsa -noout -text
read DSA key
Private-Key: (2048 bit)
priv:
25:bc:18:53:27:88:d9:ff:d2:54:bd:c5:05:8d:37:
e4:3d:7b:87:ed
pub:
7a:a8:a2:89:9a:04:dc:df:6c:94:1e:2a:c3:c1:d4:
55:48:37:83:9c:35:d9:c5:24:ba:11:7b:eb:b3:b5:
56:66:64:14:fa:b5:94:61:f4:8b:5e:ff:81:ca:7d:
26:25:04:24:da:18:1c:04:b3:eb:05:d3:fa:44:67:
64:9e:c7:75:3a:d5:41:a9:b9:98:8a:ba:f1:20:b6:
77:d4:f2:89:5d:73:d0:07:fa:e1:18:3e:28:9d:89:
9b:dc:4b:0f:4c:37:0b:89:b5:5b:b2:4a:a6:e8:24:
ac:93:66:cc:f0:bc:ef:c3:13:7c:d4:eb:c8:6a:23:
eb:af:5c:14:05:2f:e2:ca:54:ac:ef:a4:be:bc:34:
f9:11:dd:84:f5:74:98:94:21:6b:31:3c:a8:b9:04:
d4:6a:1b:06:7c:81:ec:52:1e:a9:f0:44:65:ad:52:
e2:cf:bb:43:0b:1d:bf:fa:c6:f5:f7:dd:89:2e:fc:
83:88:b3:45:89:a2:c9:ad:b0:d7:36:8c:32:ec:34:
91:64:5e:92:ed:f2:4b:81:e5:c3:a6:9d:4a:b8:be:
89:d9:49:3d:e8:aa:c4:89:a6:84:83:1a:8b:07:1d:
d2:43:64:fb:99:e0:9e:70:33:51:40:e8:bc:b0:88:
42:4e:bb:b2:a1:73:3b:a5:2c:6a:ea:ed:c2:47:1d:
6c
P:
00:81:3b:36:f8:b9:b4:91:c1:7f:8c:1b:b0:a9:99:
64:e9:68:34:6b:82:15:70:f0:9d:72:ec:d2:77:c1:
34:11:52:1e:ff:75:53:9d:86:03:52:a7:86:53:8f:
8b:bd:26:79:14:6c:c1:30:13:47:d0:40:5b:d4:72:
74:5d:9d:6e:bc:f8:8a:d8:c4:5f:ee:68:96:39:3f:
1e:6a:83:13:ab:9d:ad:9d:7e:10:d9:98:26:5f:52:
f2:eb:e8:6b:c2:9b:ac:42:98:35:df:3d:88:95:22:
c3:44:b4:7f:fe:1a:cd:3e:04:0e:a7:12:30:72:97:
e7:79:6e:66:56:91:8c:fb:84:96:f4:33:37:16:84:
ab:f5:52:94:fd:fc:eb:ef:8f:02:da:69:db:07:03:
ae:da:f4:c1:26:fc:7a:2d:04:4b:90:ea:2a:1b:b7:
10:46:23:75:fe:35:d8:77:64:98:b3:8b:ca:70:70:
ab:8c:eb:56:94:56:80:0a:b9:12:a3:0b:5c:ba:23:
f9:ae:e8:1b:da:52:06:7b:a5:d7:45:3b:81:bd:a9:
69:ff:2b:f0:06:b6:87:9f:2c:69:07:30:3a:68:e0:
40:52:83:04:4a:97:85:0d:73:37:2b:34:35:95:48:
25:4c:3d:b9:59:c0:7f:58:f5:d4:e7:22:e9:c3:4d:
93:ad
Q:
00:92:dc:11:28:8f:46:8b:60:ad:98:37:e1:1f:e7:
90:05:8a:d1:15:fb
G:
7c:51:0b:45:76:78:62:fa:97:be:e1:83:59:89:a9:
d1:8e:1b:9c:39:dd:aa:df:ff:4d:12:6f:e7:55:10:
1d:cf:26:b1:07:e0:48:27:31:bc:2f:1d:6d:e5:f6:
42:e0:86:b6:e5:6c:73:fe:76:a5:b0:9d:03:c1:e6:
c3:a4:a8:7e:20:e5:8b:f2:6f:9f:40:26:76:5b:a8:
3e:10:fa:11:e5:66:d8:3d:f0:f8:4b:1a:57:cb:34:
6d:b4:2a:0c:b8:03:55:95:76:ab:ec:09:30:0b:fd:
72:f5:78:2b:40:f9:25:e0:5c:c3:4a:8d:79:d6:61:
cb:b0:bd:76:71:e8:d6:26:13:83:ff:73:3d:f5:90:
30:59:7e:06:7f:d2:82:95:f5:cf:05:3a:da:89:db:
9b:b1:34:82:2d:0e:6f:3a:59:c9:95:d8:43:4f:e4:
1d:0f:57:bc:b0:13:cd:4c:1a:3b:8c:82:ea:69:c7:
98:8c:b6:ff:03:47:70:71:6b:af:a9:f2:bf:7d:f0:
2e:b7:80:fd:3c:fe:e9:8d:ba:96:5a:2e:a3:77:fc:
de:de:20:2d:89:e8:00:5b:c4:19:c5:36:eb:c3:db:
28:01:9a:fd:05:e4:7d:0a:1e:bd:6d:3c:e8:9d:dc:
91:cf:99:75:f1:af:4d:f1:91:d2:f5:b7:8a:82:87:
ee
% openssl req -new -x509 -key test.dsa -out test.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:
Email Address []:
% openssl x509 -in test.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
e9:4d:26:8f:ee:21:4e:82
Signature Algorithm: dsaWithSHA1
Issuer: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd
Validity
Not Before: Nov 22 18:15:50 2011 GMT
Not After : Dec 22 18:15:50 2011 GMT
Subject: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd
Subject Public Key Info:
Public Key Algorithm: dsaEncryption
DSA Public Key:
pub:
7a:a8:a2:89:9a:04:dc:df:6c:94:1e:2a:c3:c1:d4:
55:48:37:83:9c:35:d9:c5:24:ba:11:7b:eb:b3:b5:
56:66:64:14:fa:b5:94:61:f4:8b:5e:ff:81:ca:7d:
26:25:04:24:da:18:1c:04:b3:eb:05:d3:fa:44:67:
64:9e:c7:75:3a:d5:41:a9:b9:98:8a:ba:f1:20:b6:
77:d4:f2:89:5d:73:d0:07:fa:e1:18:3e:28:9d:89:
9b:dc:4b:0f:4c:37:0b:89:b5:5b:b2:4a:a6:e8:24:
ac:93:66:cc:f0:bc:ef:c3:13:7c:d4:eb:c8:6a:23:
eb:af:5c:14:05:2f:e2:ca:54:ac:ef:a4:be:bc:34:
f9:11:dd:84:f5:74:98:94:21:6b:31:3c:a8:b9:04:
d4:6a:1b:06:7c:81:ec:52:1e:a9:f0:44:65:ad:52:
e2:cf:bb:43:0b:1d:bf:fa:c6:f5:f7:dd:89:2e:fc:
83:88:b3:45:89:a2:c9:ad:b0:d7:36:8c:32:ec:34:
91:64:5e:92:ed:f2:4b:81:e5:c3:a6:9d:4a:b8:be:
89:d9:49:3d:e8:aa:c4:89:a6:84:83:1a:8b:07:1d:
d2:43:64:fb:99:e0:9e:70:33:51:40:e8:bc:b0:88:
42:4e:bb:b2:a1:73:3b:a5:2c:6a:ea:ed:c2:47:1d:
6c
P:
00:81:3b:36:f8:b9:b4:91:c1:7f:8c:1b:b0:a9:99:
64:e9:68:34:6b:82:15:70:f0:9d:72:ec:d2:77:c1:
34:11:52:1e:ff:75:53:9d:86:03:52:a7:86:53:8f:
8b:bd:26:79:14:6c:c1:30:13:47:d0:40:5b:d4:72:
74:5d:9d:6e:bc:f8:8a:d8:c4:5f:ee:68:96:39:3f:
1e:6a:83:13:ab:9d:ad:9d:7e:10:d9:98:26:5f:52:
f2:eb:e8:6b:c2:9b:ac:42:98:35:df:3d:88:95:22:
c3:44:b4:7f:fe:1a:cd:3e:04:0e:a7:12:30:72:97:
e7:79:6e:66:56:91:8c:fb:84:96:f4:33:37:16:84:
ab:f5:52:94:fd:fc:eb:ef:8f:02:da:69:db:07:03:
ae:da:f4:c1:26:fc:7a:2d:04:4b:90:ea:2a:1b:b7:
10:46:23:75:fe:35:d8:77:64:98:b3:8b:ca:70:70:
ab:8c:eb:56:94:56:80:0a:b9:12:a3:0b:5c:ba:23:
f9:ae:e8:1b:da:52:06:7b:a5:d7:45:3b:81:bd:a9:
69:ff:2b:f0:06:b6:87:9f:2c:69:07:30:3a:68:e0:
40:52:83:04:4a:97:85:0d:73:37:2b:34:35:95:48:
25:4c:3d:b9:59:c0:7f:58:f5:d4:e7:22:e9:c3:4d:
93:ad
Q:
00:92:dc:11:28:8f:46:8b:60:ad:98:37:e1:1f:e7:
90:05:8a:d1:15:fb
G:
7c:51:0b:45:76:78:62:fa:97:be:e1:83:59:89:a9:
d1:8e:1b:9c:39:dd:aa:df:ff:4d:12:6f:e7:55:10:
1d:cf:26:b1:07:e0:48:27:31:bc:2f:1d:6d:e5:f6:
42:e0:86:b6:e5:6c:73:fe:76:a5:b0:9d:03:c1:e6:
c3:a4:a8:7e:20:e5:8b:f2:6f:9f:40:26:76:5b:a8:
3e:10:fa:11:e5:66:d8:3d:f0:f8:4b:1a:57:cb:34:
6d:b4:2a:0c:b8:03:55:95:76:ab:ec:09:30:0b:fd:
72:f5:78:2b:40:f9:25:e0:5c:c3:4a:8d:79:d6:61:
cb:b0:bd:76:71:e8:d6:26:13:83:ff:73:3d:f5:90:
30:59:7e:06:7f:d2:82:95:f5:cf:05:3a:da:89:db:
9b:b1:34:82:2d:0e:6f:3a:59:c9:95:d8:43:4f:e4:
1d:0f:57:bc:b0:13:cd:4c:1a:3b:8c:82:ea:69:c7:
98:8c:b6:ff:03:47:70:71:6b:af:a9:f2:bf:7d:f0:
2e:b7:80:fd:3c:fe:e9:8d:ba:96:5a:2e:a3:77:fc:
de:de:20:2d:89:e8:00:5b:c4:19:c5:36:eb:c3:db:
28:01:9a:fd:05:e4:7d:0a:1e:bd:6d:3c:e8:9d:dc:
91:cf:99:75:f1:af:4d:f1:91:d2:f5:b7:8a:82:87:
ee
X509v3 extensions:
X509v3 Subject Key Identifier:
3E:F0:AD:08:81:CE:0D:C3:2F:F2:F1:FB:BB:49:2A:BD:7F:61:86:71
X509v3 Authority Key Identifier:
keyid:3E:F0:AD:08:81:CE:0D:C3:2F:F2:F1:FB:BB:49:2A:BD:7F:61:86:71
DirName:/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd
serial:E9:4D:26:8F:EE:21:4E:82
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: dsaWithSHA1
30:2c:02:14:18:4b:d1:a2:39:8e:73:69:52:ad:1e:ad:2b:8b:
01:94:4c:8c:a9:79:02:14:10:ec:76:c3:39:d4:c0:ef:65:4d:
c2:7d:6f:d6:07:f4:59:aa:e9:7c
% openssl asn1parse -in test.pem
0:d=0 hl=4 l=1265 cons: SEQUENCE
4:d=1 hl=4 l=1201 cons: SEQUENCE
8:d=2 hl=2 l= 3 cons: cont [ 0 ]
10:d=3 hl=2 l= 1 prim: INTEGER :02
13:d=2 hl=2 l= 9 prim: INTEGER :E94D268FEE214E82
24:d=2 hl=2 l= 9 cons: SEQUENCE
26:d=3 hl=2 l= 7 prim: OBJECT :dsaWithSHA1
35:d=2 hl=2 l= 69 cons: SEQUENCE
37:d=3 hl=2 l= 11 cons: SET
39:d=4 hl=2 l= 9 cons: SEQUENCE
41:d=5 hl=2 l= 3 prim: OBJECT :countryName
46:d=5 hl=2 l= 2 prim: PRINTABLESTRING :AU
50:d=3 hl=2 l= 19 cons: SET
52:d=4 hl=2 l= 17 cons: SEQUENCE
54:d=5 hl=2 l= 3 prim: OBJECT :stateOrProvinceName
59:d=5 hl=2 l= 10 prim: PRINTABLESTRING :Some-State
71:d=3 hl=2 l= 33 cons: SET
73:d=4 hl=2 l= 31 cons: SEQUENCE
75:d=5 hl=2 l= 3 prim: OBJECT :organizationName
80:d=5 hl=2 l= 24 prim: PRINTABLESTRING :Internet Widgits Pty Ltd
106:d=2 hl=2 l= 30 cons: SEQUENCE
108:d=3 hl=2 l= 13 prim: UTCTIME :111122181550Z
123:d=3 hl=2 l= 13 prim: UTCTIME :111222181550Z
138:d=2 hl=2 l= 69 cons: SEQUENCE
140:d=3 hl=2 l= 11 cons: SET
142:d=4 hl=2 l= 9 cons: SEQUENCE
144:d=5 hl=2 l= 3 prim: OBJECT :countryName
149:d=5 hl=2 l= 2 prim: PRINTABLESTRING :AU
153:d=3 hl=2 l= 19 cons: SET
155:d=4 hl=2 l= 17 cons: SEQUENCE
157:d=5 hl=2 l= 3 prim: OBJECT :stateOrProvinceName
162:d=5 hl=2 l= 10 prim: PRINTABLESTRING :Some-State
174:d=3 hl=2 l= 33 cons: SET
176:d=4 hl=2 l= 31 cons: SEQUENCE
178:d=5 hl=2 l= 3 prim: OBJECT :organizationName
183:d=5 hl=2 l= 24 prim: PRINTABLESTRING :Internet Widgits Pty Ltd
209:d=2 hl=4 l= 826 cons: SEQUENCE
213:d=3 hl=4 l= 557 cons: SEQUENCE
217:d=4 hl=2 l= 7 prim: OBJECT :dsaEncryption
226:d=4 hl=4 l= 544 cons: SEQUENCE
230:d=5 hl=4 l= 257 prim: INTEGER :813B36F8B9B491C17F8C1BB0A99964E968346B821570F09D72ECD277C13411521EFF75539D860352A786538F8BBD2679146CC1301347D0405BD472745D9D6EBCF88AD8C45FEE6896393F1E6A8313AB9DAD9D7E10D998265F52F2EBE86BC29BAC429835DF3D889522C344B47FFE1ACD3E040EA712307297E7796E6656918CFB8496F433371684ABF55294FDFCEBEF8F02DA69DB0703AEDAF4C126FC7A2D044B90EA2A1BB710462375FE35D8776498B38BCA7070AB8CEB569456800AB912A30B5CBA23F9AEE81BDA52067BA5D7453B81BDA969FF2BF006B6879F2C6907303A68E0405283044A97850D73372B34359548254C3DB959C07F58F5D4E722E9C34D93AD
491:d=5 hl=2 l= 21 prim: INTEGER :92DC11288F468B60AD9837E11FE790058AD115FB
514:d=5 hl=4 l= 256 prim: INTEGER :7C510B45767862FA97BEE1835989A9D18E1B9C39DDAADFFF4D126FE755101DCF26B107E0482731BC2F1D6DE5F642E086B6E56C73FE76A5B09D03C1E6C3A4A87E20E58BF26F9F4026765BA83E10FA11E566D83DF0F84B1A57CB346DB42A0CB803559576ABEC09300BFD72F5782B40F925E05CC34A8D79D661CBB0BD7671E8D6261383FF733DF59030597E067FD28295F5CF053ADA89DB9BB134822D0E6F3A59C995D8434FE41D0F57BCB013CD4C1A3B8C82EA69C7988CB6FF034770716BAFA9F2BF7DF02EB780FD3CFEE98DBA965A2EA377FCDEDE202D89E8005BC419C536EBC3DB28019AFD05E47D0A1EBD6D3CE89DDC91CF9975F1AF4DF191D2F5B78A8287EE
774:d=3 hl=4 l= 261 prim: BIT STRING
1039:d=2 hl=3 l= 167 cons: cont [ 3 ]
1042:d=3 hl=3 l= 164 cons: SEQUENCE
1045:d=4 hl=2 l= 29 cons: SEQUENCE
1047:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Subject Key Identifier
1052:d=5 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:04143EF0AD0881CE0DC32FF2F1FBBB492ABD7F618671
1076:d=4 hl=2 l= 117 cons: SEQUENCE
1078:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Authority Key Identifier
1083:d=5 hl=2 l= 110 prim: OCTET STRING [HEX DUMP]:306C80143EF0AD0881CE0DC32FF2F1FBBB492ABD7F618671A149A4473045310B3009060355040613024155311330110603550408130A536F6D652D53746174653121301F060355040A1318496E7465726E6574205769646769747320507479204C7464820900E94D268FEE214E82
1195:d=4 hl=2 l= 12 cons: SEQUENCE
1197:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Basic Constraints
1202:d=5 hl=2 l= 5 prim: OCTET STRING [HEX DUMP]:30030101FF
1209:d=1 hl=2 l= 9 cons: SEQUENCE
1211:d=2 hl=2 l= 7 prim: OBJECT :dsaWithSHA1
1220:d=1 hl=2 l= 47 prim: BIT STRING
## In the above, the DSA parameters (P, Q, and G) are dumped verbatim as they're first-order ASN.1 objects within the optional 'parameters' member of the public key structure (certificates containing RSA keys don't contain any parameters, so you never see this with those). The data portion of that structure is a bit-string containing a DER-encoded blob of the key data itself (because we know it's DER-encoded, we can ask OpenSSL to decode it, below).
## With DSA, this is just a DER-encoded integer:
% openssl asn1parse -in test.pem -strparse 774
0:d=0 hl=4 l= 256 prim: INTEGER :7AA8A2899A04DCDF6C941E2AC3C1D4554837839C35D9C524BA117BEBB3B556666414FAB59461F48B5EFF81CA7D26250424DA181C04B3EB05D3FA4467649EC7753AD541A9B9988ABAF120B677D4F2895D73D007FAE1183E289D899BDC4B0F4C370B89B55BB24AA6E824AC9366CCF0BCEFC3137CD4EBC86A23EBAF5C14052FE2CA54ACEFA4BEBC34F911DD84F5749894216B313CA8B904D46A1B067C81EC521EA9F04465AD52E2CFBB430B1DBFFAC6F5F7DD892EFC8388B34589A2C9ADB0D7368C32EC3491645E92EDF24B81E5C3A69D4AB8BE89D9493DE8AAC489A684831A8B071DD24364FB99E09E70335140E8BCB088424EBBB2A1733BA52C6AEAEDC2471D6C
## With RSA in a cert instead, things are very similar (note the NULL where DSA has a SEQUENCE of parameters):
% openssl asn1parse -in test-rsa.pem
0:d=0 hl=4 l= 949 cons: SEQUENCE
4:d=1 hl=4 l= 669 cons: SEQUENCE
8:d=2 hl=2 l= 3 cons: cont [ 0 ]
10:d=3 hl=2 l= 1 prim: INTEGER :02
13:d=2 hl=2 l= 9 prim: INTEGER :B29EC7E7902C3588
24:d=2 hl=2 l= 13 cons: SEQUENCE
26:d=3 hl=2 l= 9 prim: OBJECT :sha1WithRSAEncryption
37:d=3 hl=2 l= 0 prim: NULL
39:d=2 hl=2 l= 69 cons: SEQUENCE
41:d=3 hl=2 l= 11 cons: SET
43:d=4 hl=2 l= 9 cons: SEQUENCE
45:d=5 hl=2 l= 3 prim: OBJECT :countryName
50:d=5 hl=2 l= 2 prim: PRINTABLESTRING :AU
54:d=3 hl=2 l= 19 cons: SET
56:d=4 hl=2 l= 17 cons: SEQUENCE
58:d=5 hl=2 l= 3 prim: OBJECT :stateOrProvinceName
63:d=5 hl=2 l= 10 prim: PRINTABLESTRING :Some-State
75:d=3 hl=2 l= 33 cons: SET
77:d=4 hl=2 l= 31 cons: SEQUENCE
79:d=5 hl=2 l= 3 prim: OBJECT :organizationName
84:d=5 hl=2 l= 24 prim: PRINTABLESTRING :Internet Widgits Pty Ltd
110:d=2 hl=2 l= 30 cons: SEQUENCE
112:d=3 hl=2 l= 13 prim: UTCTIME :111122182703Z
127:d=3 hl=2 l= 13 prim: UTCTIME :111222182703Z
142:d=2 hl=2 l= 69 cons: SEQUENCE
144:d=3 hl=2 l= 11 cons: SET
146:d=4 hl=2 l= 9 cons: SEQUENCE
148:d=5 hl=2 l= 3 prim: OBJECT :countryName
153:d=5 hl=2 l= 2 prim: PRINTABLESTRING :AU
157:d=3 hl=2 l= 19 cons: SET
159:d=4 hl=2 l= 17 cons: SEQUENCE
161:d=5 hl=2 l= 3 prim: OBJECT :stateOrProvinceName
166:d=5 hl=2 l= 10 prim: PRINTABLESTRING :Some-State
178:d=3 hl=2 l= 33 cons: SET
180:d=4 hl=2 l= 31 cons: SEQUENCE
182:d=5 hl=2 l= 3 prim: OBJECT :organizationName
187:d=5 hl=2 l= 24 prim: PRINTABLESTRING :Internet Widgits Pty Ltd
213:d=2 hl=4 l= 290 cons: SEQUENCE
217:d=3 hl=2 l= 13 cons: SEQUENCE
219:d=4 hl=2 l= 9 prim: OBJECT :rsaEncryption
230:d=4 hl=2 l= 0 prim: NULL
232:d=3 hl=4 l= 271 prim: BIT STRING
507:d=2 hl=3 l= 167 cons: cont [ 3 ]
510:d=3 hl=3 l= 164 cons: SEQUENCE
513:d=4 hl=2 l= 29 cons: SEQUENCE
515:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Subject Key Identifier
520:d=5 hl=2 l= 22 prim: OCTET STRING [HEX DUMP]:04145753D561FA5280577E94A61A18F77285225FBE1D
544:d=4 hl=2 l= 117 cons: SEQUENCE
546:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Authority Key Identifier
551:d=5 hl=2 l= 110 prim: OCTET STRING [HEX DUMP]:306C80145753D561FA5280577E94A61A18F77285225FBE1DA149A4473045310B3009060355040613024155311330110603550408130A536F6D652D53746174653121301F060355040A1318496E7465726E6574205769646769747320507479204C7464820900B29EC7E7902C3588
663:d=4 hl=2 l= 12 cons: SEQUENCE
665:d=5 hl=2 l= 3 prim: OBJECT :X509v3 Basic Constraints
670:d=5 hl=2 l= 5 prim: OCTET STRING [HEX DUMP]:30030101FF
677:d=1 hl=2 l= 13 cons: SEQUENCE
679:d=2 hl=2 l= 9 prim: OBJECT :sha1WithRSAEncryption
690:d=2 hl=2 l= 0 prim: NULL
692:d=1 hl=4 l= 257 prim: BIT STRING
## Dumping the bit-string containing the key data for RSA gives us the structure (where DSA just has the INTEGER):
% openssl asn1parse -in test-rsa.pem -strparse 232
0:d=0 hl=4 l= 266 cons: SEQUENCE
4:d=1 hl=4 l= 257 prim: INTEGER :CBB55A0C161C6FBD185EEC0F067DFCC1F13378F02E621530EB0B612BE651D845ECA3D91B69498EBF2B076DDEA7375C505445E42279D6E77179B7CBED12C41405333D9744920EFC21A28A8314182FDEFF69E55F7B44014FA401F10F61E7012F923787EF1F2ED919EBDA0D910DD087572E4A573A28DD3278171F1593B516DF8EBF1B7B048BEDC8C61061362C50D4D705554F1B2DC60226EC2C49784C14827EC57BB32E58C1F8E24ECC6636ACA0EAB4982AE814CD67B1BC6A1E9F1AEAB2572E568F409E0D6851B7B85EA14330A5B0CBD91F3CA83E229C110E03FEFF6EAB9297DD99AFDB257F60A4680E147C4776C7B44EDD03987B652493C09D57D85A715CC8320F
265:d=1 hl=2 l= 3 prim: INTEGER :010001
Everything else I can throw it into (beyond home-grown tools) represents as hex too.
If we're going to settle on *one thing*, which by the sounds of it is sensible, make it xsd:hexBinary IMO.
> Ah ok. Again I think that ECC has a problem that there are ways to write out the same key (i.e., many different numbers), which means that one would have to be more careful in specifying how to do matches. I am pretty sure this is not the case with RSA, though I am not sure with DSA.
Hmm, okay. I need to do more research into ECC. I don't *believe* DSA suffers from the same, but I could well be wrong.
M.
--
Mo McRoberts - Technical Lead - The Space,
0141 422 6036 (Internal: 01-26036) - PGP key CEBCF03E,
Project Office: Room 7083, BBC Television Centre, London W12 7RJ
Received on Tuesday, 22 November 2011 18:33:14 UTC