0

Recently I'm reading code of bouncycastle(java), I noticed that when using EdDSA, we are using org.bouncycastle.asn1.x509.SubjectPublicKeyInfo#getPublicKeyData to get publicKey in org.bouncycastle.jcajce.provider.asymmetric.edec.BCEdDSAPublicKey#populateFromPubKeyInfo. But when using RSA we are using org.bouncycastle.asn1.x509.SubjectPublicKeyInfo#parsePublicKey in org.bouncycastle.jcajce.provider.asymmetric.rsa.BCRSAPublicKey#populateFromPublicKeyInfo.

The comment of parsePublicKey is for when the public key is an encoded object - if the bitstring can't be decoded this routine throws an IOException. and getPublicKeyData's is for when the public key is raw bits..

I am confused that how can we decide which method to use? Is this written in EdDSA spec or somewhere? I googled around and found nothing.

Edit:

Following is the info I collected, corret me if I'm wrong.

Both EdRsa publicKey and RSA publicKey is ASN.1 encoded,the use of org.bouncycastle.asn1.x509.SubjectPublicKeyInfo#getPublicKeyData is simply because EdRsa publicKey only contains one component (a simple byte array) while rsa key contains two component(modules and publicExp).

Almost all private key is pkcs#8 encoded, after all it's named "Private-Key Information Syntax Standard". But rsa privateKey can also encoded in pkcs#1 which cames before pkc#8, and those two formats can be converted back and force.

Nick Allen
  • 1,647
  • 14
  • 20

1 Answers1

2

RFC 5280 specifies that X.509 public keys be encoded in a SubjectPublicKeyInfo ASN.1 SEQUENCE. This has two parts: the first ('algorithm') is an AlgorithmIdentifier which tells you what algorithm the key is for, and the second ('subjectPublicKey') is an ASN.1 BIT STRING whose interpretation is algorithm-dependent.

In the case of EdDSA, its use in X.509 was specified in RFC 8410. That RFC provides the OBJECT IDENTIFIER to use in the 'algorithm' for Ed25519/Ed448 and retains the public key format specified in the original EdDSA RFC - RFC 8032 i.e. a byte string, so that's what goes in the 'subjectPublicKey'.

Community
  • 1
  • 1
Peter Dettman
  • 3,867
  • 20
  • 34
  • 1
    OTOH RSA is specified in 3280 2.3.1 as an ASN.1 structure, which is actually the same as PKCS1 (RFC 2313, 2437, 4347, 8017) though not referenced there, reaffirmed in 4055 1.2. – dave_thompson_085 Dec 26 '20 at 20:21
  • So is EdDSA publicKey is raw bits because it only contains a single object, while rsa keys is asn.1 encoded because it contains two object(modulus and publicExp)? – Nick Allen Dec 28 '20 at 09:04
  • @NickAllen: not really. EdDSA key contains two values, y and sign(x), in a fixed encoding defined by 8032 not using ASN1. ECDSA (and ECDH) has _two_ representations described in 5480 based on X9.62 and SEC1, both fixed non-ASN1, that semantically represent two values either x,y or x,sign_or_parity(y). OTOH DSA pubkey is a single integer but is ASN1-encoded as defined in 3279 2.3.2. Basically it's an arbitrary decision made by the standardizers and you have to read what they wrote. – dave_thompson_085 Jan 03 '21 at 23:59