Skip to content

ASN.1: RFC 8410 OIDs, ABSENT params, Unknown key preservation, SEQUENCE OF support #108

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open

ASN.1: RFC 8410 OIDs, ABSENT params, Unknown key preservation, SEQUENCE OF support #108

wants to merge 5 commits into from

Conversation

ariawisp
Copy link

@ariawisp ariawisp commented Sep 7, 2025
edited
Loading

Summary

  • Add RFC 8410 OIDs as ObjectIdentifier extensions: Ed25519, Ed448, X25519, X448.
  • Make AlgorithmIdentifier RFC 8410–conformant on encode: parameters are ABSENT for the four OIDs; decoder tolerates explicit NULL.
  • Support unknown AlgorithmIdentifier keys robustly by preserving parameters as raw ASN.1 for round‑trip (Asn1Any).
  • Add SEQUENCE OF (list) support to the DER codec.
  • Extend unit tests (encode/decode/round‑trip, SPKI vectors, negative cases) and wire focused multi‑platform CI runs for ASN.1 modules.

Issue linkage

  • Addresses issue ASN.1 improvements #21: ASN.1 improvements – ASN.1 improvements #21
    • Support lists encoding: ✅ Implemented (SEQUENCE OF via StructureKind.LIST).
    • Support unknown keys: ✅ Implemented with UnknownKeyAlgorithmIdentifier(algorithm, parameters) and Asn1Any to preserve parameters.
    • Support default (optional values) encoding configuration: already ✅ upstream; unchanged here.
    • Support context-specific classes: already ✅ upstream; unchanged here. Added more negative tests for validation.

Details

  1. RFC 8410 OIDs and encoding rules

    • New helpers in asn1/modules:
      • ObjectIdentifier.Companion.Ed25519 → 1.3.101.112
      • ObjectIdentifier.Companion.Ed448 → 1.3.101.113
      • ObjectIdentifier.Companion.X25519 → 1.3.101.110
      • ObjectIdentifier.Companion.X448 → 1.3.101.111
      • internal fun ObjectIdentifier.isRfc8410NoParams() groups the four OIDs.
    • Encoder: KeyAlgorithmIdentifierSerializer.encodeParameters omits the "parameters" element for these OIDs (ABSENT). RSA remains explicit NULL; EC unchanged.
    • Decoder: tolerates both ABSENT and explicit NULL for these OIDs and constructs UnknownKeyAlgorithmIdentifier.

  2. Unknown AlgorithmIdentifier preservation (round‑trip)

    • New Asn1Any captures raw TLV bytes of unknown parameters.
    • UnknownKeyAlgorithmIdentifier now stores parameters: Any? (previously Nothing?), using Asn1Any when present.
    • Encode behavior for unknown algorithms:
      • RFC 8410 OIDs → omit parameters (normalize to ABSENT).
      • Other OIDs → if parameters is Asn1Any, write it back as‑is; if null, omit.
    • Deserializer: AlgorithmIdentifier base permits ABSENT parameters path by delegating to subclass construction.

  3. SEQUENCE OF (lists)

    • DerDecoder and DerEncoder now handle StructureKind.LIST to encode/decode SEQUENCE OF values.

Tests

  • ASN.1 modules:
    • Encode: Ed25519/X25519 AlgorithmIdentifier encodes with ABSENT parameters; RSA encodes with explicit NULL.
    • Round‑trip normalization: decoding RFC 8410 NULL → re‑encodes to ABSENT.
    • Decode: Ed25519/X25519/Ed448/X448 accept both ABSENT and NULL.
    • SPKI decode: Ed25519 with ABSENT/NULL.
    • Unknown non-RFC 8410 OID with non-NULL parameters: exact byte-for-byte round-trip via Asn1Any.
  • Core ASN.1:
    • Lists: SEQUENCE OF INTEGER encode/decode (+ empty list).
    • Negative tests: wrong tag for INTEGER; invalid long‑form length; context‑specific tag mismatch (IMPLICIT and EXPLICIT inner tag); BitString unused bits consistency.

CI

  • New workflow .github/workflows/run-tests-asn1.yml runs quick, focused matrix for ASN.1 core and modules: JVM, JS, Wasm Node, Linux x64.
  • Hooked into run-checks.yml (runs after build) to increase cross‑platform confidence without slowing the entire pipeline.

API / ABI notes

  • New public class: dev.whyoleg.cryptography.serialization.asn1.Asn1Any (core ASN.1 module).
  • UnknownKeyAlgorithmIdentifier signature changed:
    • Before: UnknownKeyAlgorithmIdentifier(algorithm: ObjectIdentifier) with parameters: Nothing?
    • After: UnknownKeyAlgorithmIdentifier(algorithm: ObjectIdentifier, parameters: Any? = null)
    • Source/ABI change in cryptography-serialization-asn1-modules (API files updated). Typical use sites constructing unknown identifiers remain source‑compatible if they do not reference the old parameters type; call sites with 1‑arg constructor continue to work.
  • Docs: Asn1Any.bytes contains full TLV (Tag + Length + Value).

Motivation and outcomes

  • RFC 8410 compliance: DER outputs match the spec (parameters ABSENT) while accepting explicit NULL in inputs seen in the wild.
  • Unknown keys are decodable and round‑trippable, making the codec resilient to extensions without schema updates.
  • SEQUENCE OF support unlocks more ASN.1 constructs and improves parity with real‑world structures.

Examples

  • Ed25519 AlgorithmIdentifier encodes to 30 05 06 03 2B 65 70 (no parameters element).
  • X25519 AlgorithmIdentifier encodes to 30 05 06 03 2B 65 6E.
  • RSA AlgorithmIdentifier continues to encode with explicit NULL.

Backward compatibility notes

  • If external code relied on UnknownKeyAlgorithmIdentifier.parameters being always null, it may now hold Asn1Any for unknown algorithms with present parameters. Consumers can ignore parameters or recognize Asn1Any to access raw TLV bytes when needed.

Checklist against #21

  • Support lists encoding (SEQUENCE OF)
  • Support unknown keys (decode + preserve parameters)
  • Support default (optional values) encoding configuration (already upstream)
  • Support context-specific classes (already upstream; added negative tests)

@ariawisp ariawisp force-pushed the feat/asn1-oids-rfc8410 branch from e66a8df to 30420c0 Compare September 7, 2025 01:17
@ariawisp ariawisp changed the title ASN.1: Ed25519/Ed448 and X25519/X448 OIDs; accept absent/NULL AlgorithmIdentifier params (RFC 8410) ASN.1: Ed25519/Ed448 and X25519/X448 OIDs; accept ABSENT/NULL AlgorithmIdentifier params (RFC 8410) Sep 7, 2025
@ariawisp ariawisp force-pushed the feat/asn1-oids-rfc8410 branch from 30420c0 to ad30fb8 Compare September 7, 2025 01:37
This was referenced Sep 7, 2025
Open
Open
Open
@ariawisp ariawisp force-pushed the feat/asn1-oids-rfc8410 branch from ad30fb8 to 612b463 Compare September 7, 2025 02:16
This was referenced Sep 7, 2025
Open
Closed
@ariawisp ariawisp force-pushed the feat/asn1-oids-rfc8410 branch from 612b463 to 77e7300 Compare September 7, 2025 17:46
@ariawisp
asn1(core): RFC 8410 OIDs + ABSENT params; preserve unknown Algorithm…
e1d79f1 
…Identifier params via Asn1Any; add SEQUENCE OF support; update API/ABI and changelog

- Add ObjectIdentifier extensions for Ed25519/Ed448/X25519/X448
- Enforce RFC 8410 on encode (omit parameters); decoder tolerates NULL
- Introduce Asn1Any and carry parameters in UnknownKeyAlgorithmIdentifier
- Support StructureKind.LIST (SEQUENCE OF) in DER codec
- Update API dumps and CHANGELOG; add PR description
@ariawisp
asn1(tests): add RFC 8410 encode/decode and round‑trip tests; SPKI de…
fa128fd 
…code; list encoding; negative validations
@ariawisp
ci: add focused ASN.1 test matrix (JVM/JS/Wasm Node/Linux x64) and in…
8fe6dc1 
…tegrate into checks pipeline
@ariawisp ariawisp force-pushed the feat/asn1-oids-rfc8410 branch from 77e7300 to 8fe6dc1 Compare September 7, 2025 17:49
@ariawisp ariawisp changed the title ASN.1: Ed25519/Ed448 and X25519/X448 OIDs; accept ABSENT/NULL AlgorithmIdentifier params (RFC 8410) ASN.1: RFC 8410 OIDs, ABSENT params, Unknown key preservation, SEQUENCE OF support Sep 7, 2025
ariawisp

This comment was marked as outdated.

Sign in to view

@ariawisp
asn1(tests/docs): add unknown OID Asn1Any round‑trip test; clarify As…
2fb5a26 
…n1Any KDoc; fix AlgorithmIdentifier deserializer to allow ABSENT params path
ariawisp

This comment was marked as outdated.

Sign in to view

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@ariawisp