-
Notifications
You must be signed in to change notification settings - Fork 109
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support ECDSA explicit curve parameters for ICAO 9303 certificates #885
Comments
Explicit curve parameters aren’t supported by the Golang x509 parser. RFC 5280 also doesn’t allow them. I think it is unlikely Zlint will add support for them. Is there a reason you are using explicit curve parameters? |
Hi, explicit curve parameters are a client requirement. Thanks by your fast answer. |
Can you expand on that any further? This is an effectively obsolete and unsupported feature, so I think it would be a big change to support it. Is there some ecosystem that uses this, and if so, why? |
The use case is to validate the certificate profiles used for signature processes included in ICAO 9303 - PKI for eMRTDS. |
thanks. For my own reference, that document is available in English at https://www.icao.int/publications/Documents/9303_p12_cons_en.pdf Specifically:
|
I've renamed the ticket to more accurately describe the issue at hand. |
It's better so! Thanks again |
At some point, we're going to likely have our own more flexible ASN.1 parser (@dadrian is hacking on), but, for the time being, I think this is going to fall out of scope since the certificates violate 5280. |
When i try to analyze a pem certificate with Zlint i get this error.
time="2024-10-08T08:18:42+02:00" level=fatal msg="unable to parse certificate: asn1: structure error: tags don't match (6 vs {class:0 tag:16 length:320 isCompound:true}) {optional:false explicit:false application:false private:false defaultValue: tag: stringType:0 timeType:0 set:false omitEmpty:false} ObjectIdentifier @4"
Someone can help me??
thanks in advance.
The text was updated successfully, but these errors were encountered: