#1 2024-11-26 16:39:57

tfopc
Member
Registered: 2024-01-08
Posts: 17

Decoding of X509 - ecdsa-with-SHA384

Hi ab,
i try to decode a X509-certificate from a pem. The certificate is from a TSE (Technische Sicherheits Einrichtung) that is needed for the german law to sign cashregister transactions.
The TX509Parse give me a "false". In "TXTbsCertificate.FromDer" and in "TX509.LoadFromDer" there is a big If-Check - sadly with out the reason for the "false".

After many steps in the debugger i see that the false comes from:

OidToXsa - '1.2.840.10045.4.3.3' is not in the ASN1_OID_SIGNATURE - definition. (OID 1.2.840.10045.4.3.3 ecdsa-with-SHA384) so is this a reason to give a false result?
sorry wrong ...
OID: '1.2.840.10045.2.1' OID2: '1.3.36.3.3.2.8.1.1.11' in OidToXka is not valid result = xkaNone  - OID 1.3.36.3.3.2.8.1.1.11 seems to be "brainpoolP384r1" (https://learn.microsoft.com/en-us/windo … tic-curves)

FYI. this a hardware modul no software

If you whant do debug it youself here is the cert:
(string is without -----BEGIN CERTIFICATE-----#10 ... #10 -----END CERTIFICATE----- and linebreaks)

A Quick test via Online-Decode (https://www.sslshopper.com/certificate-decoder.html) gives me a valid result.

Certificate Information:
Common Name: 74024ea9846d8d438cb8c974af51602d0647403b723e7175f015fc0a38d601f0
Subject Alternative Names:
Organization: Swissbit AG
Organization Unit:
Locality:
State:
Country: DE
Valid From: September 13, 2022
Valid To: August 13, 2028
Issuer: TSE CA 1, T-Systems International GmbH
Serial Number: 2efc649c9776636526782db14e2646f9

Thank you again!

Last edited by tfopc (2024-11-26 16:59:21)

Offline

#2 2024-11-26 19:17:53

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 14,725
Website

Re: Decoding of X509 - ecdsa-with-SHA384

BrainPool kind of curves is not supported.

Online

#3 2024-11-26 21:38:10

tfopc
Member
Registered: 2024-01-08
Posts: 17

Re: Decoding of X509 - ecdsa-with-SHA384

OK, no problem, I don't want to use the certificate - it was just about decoding some information from it.
I have seen that there is also the function WinX509Parse(..), that was done the job and gives me the needed info in "PeerInfo"

Certificate:
  Version: 3 (0x2)
  Serial Number:
    0a:fd:c7:7c:17:65:30:5f:57:84:c8:5d:94:38:29:a6
  Signature Algorithm: sha384ECDSA
  Issuer: CN=TSE CA 1, O=T-Systems International GmbH, OU=Telekom Security, C=DE
  Validity
    Not Before: Tue, 13 Sep 2022 12:54:20 GMT
    Not After : Sun, 13 Aug 2028 23:59:59 GMT
  Subject: dnQualifier=BSI-DSZ-CC-1121, C=DE, O=Swissbit AG, CN=3c96341676eeadf9b707253271a39eb35559b8c9034f2cbe9da7d2bfaab9b940
  Subject Public Key Info:
    Public Key Algorithm: ECC
    ECC Public Key: (384 bit)
      2f:af:24:a8:7e:66:b4:a1:c1:51:8c:fd:f1:a1:66:a4
      0b:bd:a4:47:ba:8e:9b:e5:39:42:b7:1c:9f:6d:70:74
      a2:5e:9b:19:e2:07:e5:56:60:d9:ee:c8:c2:3c:78:24
      6f:5b:b8:d3:ba:b7:18:61:32:00:de:33:40:ee:3f:31
      06:ab:ac:f3:6a:64:9f:0d:34:21:e2:23:c1:e6:56:dd
      12:f0:0b:28:0f:0e:b6:7d:35:0b:07:fc:70:c3:25:fe
  X509v3 extensions:
    X509v3 Key Usage: critical
      Digital Signature
    X509v3 Basic Constraints: critical
      CA:FALSE
    X509v3 Subject Key Identifier:
      16:57:57:e6:5b:51:e9:86:cc:0e:7e:e3:5c:46:41:e3:f1:54:23:6e
    X509v3 Authority Key Identifier:
      82:b8:ab:33:09:a7:ff:f4:07:93:0f:24:34:fa:5e:75:f6:c9:04:3c

Offline

Board footer

Powered by FluxBB