Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

IllegalArgumentException when Building Certificate with Delta Certificate Extension if Subject and Issuer are the Same #1683

Open
NoahFreising opened this issue May 25, 2024 · 0 comments
Open

IllegalArgumentException when Building Certificate with Delta Certificate Extension if Subject and Issuer are the Same #1683

NoahFreising opened this issue May 25, 2024 · 0 comments
Assignees
@dghgit

Comments

@NoahFreising
Copy link

While playing around with delta certificates, I noticed that BC throws an IllegalArgumentException when building a certificate with a delta certificate extension constructed using DeltaCertificateTool.makeDeltaCertificateExtension(). This occurs when both the Issuer and Subject of the base and delta certificate are the same. The exception is not thrown, and the certificate is constructed correctly, if only one of the Issuer and Subject is the same or if they are different. The relevant Internet-Draft appears to allow the same Subject and Issuer to be present in both the delta and base certificate, meaning that neither will be present in the constructed extension.

BC version: 1.78.1.

Stack trace:

Exception in thread "main" java.lang.IllegalArgumentException: illegal object in getInstance: org.bouncycastle.asn1.x509.SubjectPublicKeyInfo
	at org.bouncycastle.asn1.ASN1BitString.getInstance(Unknown Source)
	at org.bouncycastle.asn1.x509.DeltaCertificateDescriptor.<init>(Unknown Source)
	at org.bouncycastle.asn1.x509.DeltaCertificateDescriptor.trimTo(Unknown Source)
	at org.bouncycastle.cert.X509v3CertificateBuilder.build(Unknown Source)
	at ch.freising.pqcthesis.DeltaCertMinimalTest.main(DeltaCertMinimalTest.java:52)

Minimum example that throws an exception:

package ch.freising.pqcthesis;

import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x509.Extension;
import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
import org.bouncycastle.cert.DeltaCertificateTool;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cert.X509v3CertificateBuilder;
import org.bouncycastle.jcajce.provider.asymmetric.rsa.KeyPairGeneratorSpi;
import org.bouncycastle.operator.ContentSigner;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;

import java.io.IOException;

public class DeltaCertMinimalTest {
    public static void main(String[] args) throws OperatorCreationException, IOException {
        // Generate RSA KeyPairs
        KeyPairGeneratorSpi rsaKeyGen = new KeyPairGeneratorSpi();
        rsaKeyGen.initialize(2048, new java.security.SecureRandom());
        java.security.KeyPair deltaKeyPair = rsaKeyGen.generateKeyPair();
        java.security.KeyPair baseKeyPair = rsaKeyGen.generateKeyPair();

        // Generate a self-signed Delta Certificate
        X509v3CertificateBuilder deltaCertBuilder = new X509v3CertificateBuilder(
                new X500Name("CN=Issuer"),
                java.math.BigInteger.valueOf(1L),
                new java.util.Date(System.currentTimeMillis()),
                new java.util.Date(System.currentTimeMillis() + 365L * 24 * 60 * 60 * 1000),
                new X500Name("CN=Subject"),
                SubjectPublicKeyInfo.getInstance(deltaKeyPair.getPublic().getEncoded())
        );
        ContentSigner deltaRootSigner = new JcaContentSignerBuilder("SHA256withRSA").build(deltaKeyPair.getPrivate());
        X509CertificateHolder deltaCert = deltaCertBuilder.build(deltaRootSigner);

        // Generate a self-signed Base Certificate
        X509v3CertificateBuilder baseCertBuilder = new X509v3CertificateBuilder(
                new X500Name("CN=Issuer"), // Same as Delta Certificate
                java.math.BigInteger.valueOf(2L),
                new java.util.Date(System.currentTimeMillis()),
                new java.util.Date(System.currentTimeMillis() + 365L * 24 * 60 * 60 * 1000),
                new X500Name("CN=Subject"), // Same as Delta Certificate
                SubjectPublicKeyInfo.getInstance(baseKeyPair.getPublic().getEncoded())
        );

        // Create Delta Extension
        Extension deltaCertExtension = DeltaCertificateTool.makeDeltaCertificateExtension(false, deltaCert);
        // Add Delta Extension to Base Certificate
        baseCertBuilder.addExtension(deltaCertExtension);
        // Build Base Certificate
        ContentSigner baseRootSigner = new JcaContentSignerBuilder("SHA256withRSA").build(baseKeyPair.getPrivate());
        X509CertificateHolder baseCert = baseCertBuilder.build(baseRootSigner); // <= Exception thrown here
    }
}
@NoahFreising NoahFreising changed the title IllegalArgumentException when Building Certificate with Delta Certificate Extension Using makeDeltaCertificateExtension() if Subject and Issuer are the ame IllegalArgumentException when Building Certificate with Delta Certificate Extension if Subject and Issuer are the Same May 25, 2024
@dghgit dghgit self-assigned this Jun 3, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dghgit dghgit

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dghgit @NoahFreising