Internet Engineering Task Force (IETF)                      S. Josefsson
Request for Comments: 8410                                        SJD AB
Category: Standards Track                                      J. Schaad
ISSN: 2070-1721                                           August Cellars
                                                             August 2018
        
Internet Engineering Task Force (IETF)                      S. Josefsson
Request for Comments: 8410                                        SJD AB
Category: Standards Track                                      J. Schaad
ISSN: 2070-1721                                           August Cellars
                                                             August 2018
        

Algorithm Identifiers for Ed25519, Ed448, X25519, and X448 for Use in the Internet X.509 Public Key Infrastructure

Internet X.509公钥基础结构中使用的Ed25519、Ed448、X25519和X448的算法标识符

Abstract

摘要

This document specifies algorithm identifiers and ASN.1 encoding formats for elliptic curve constructs using the curve25519 and curve448 curves. The signature algorithms covered are Ed25519 and Ed448. The key agreement algorithms covered are X25519 and X448. The encoding for public key, private key, and Edwards-curve Digital Signature Algorithm (EdDSA) structures is provided.

本文档指定了使用curve25519和curve448曲线的椭圆曲线构造的算法标识符和ASN.1编码格式。涉及的签名算法为Ed25519和Ed448。涵盖的关键协议算法是X25519和X448。提供了公钥、私钥和爱德华兹曲线数字签名算法(EdDSA)结构的编码。

Status of This Memo

关于下段备忘

This is an Internet Standards Track document.

这是一份互联网标准跟踪文件。

This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 7841.

本文件是互联网工程任务组(IETF)的产品。它代表了IETF社区的共识。它已经接受了公众审查,并已被互联网工程指导小组(IESG)批准出版。有关互联网标准的更多信息,请参见RFC 7841第2节。

Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at https://www.rfc-editor.org/info/rfc8410.

有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问https://www.rfc-editor.org/info/rfc8410.

Copyright Notice

版权公告

Copyright (c) 2018 IETF Trust and the persons identified as the document authors. All rights reserved.

版权所有(c)2018 IETF信托基金和确定为文件作者的人员。版权所有。

This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.

本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(https://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。从本文件中提取的代码组件必须包括信托法律条款第4.e节中所述的简化BSD许可证文本,并提供简化BSD许可证中所述的无担保。

Table of Contents

目录

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Requirements Terminology  . . . . . . . . . . . . . . . . . .   3
   3.  Curve25519 and Curve448 Algorithm Identifiers . . . . . . . .   3
   4.  Subject Public Key Fields . . . . . . . . . . . . . . . . . .   4
   5.  Key Usage Bits  . . . . . . . . . . . . . . . . . . . . . . .   5
   6.  EdDSA Signatures  . . . . . . . . . . . . . . . . . . . . . .   6
   7.  Private Key Format  . . . . . . . . . . . . . . . . . . . . .   7
   8.  Human-Readable Algorithm Names  . . . . . . . . . . . . . . .   8
   9.  ASN.1 Module  . . . . . . . . . . . . . . . . . . . . . . . .   9
   10. Examples  . . . . . . . . . . . . . . . . . . . . . . . . . .  11
     10.1.  Example Ed25519 Public Key . . . . . . . . . . . . . . .  11
     10.2.  Example X25519 Certificate . . . . . . . . . . . . . . .  12
     10.3.  Examples of Ed25519 Private Key  . . . . . . . . . . . .  14
   11. IANA Considerations . . . . . . . . . . . . . . . . . . . . .  15
   12. Security Considerations . . . . . . . . . . . . . . . . . . .  15
   13. References  . . . . . . . . . . . . . . . . . . . . . . . . .  16
     13.1.  Normative References . . . . . . . . . . . . . . . . . .  16
     13.2.  Informative References . . . . . . . . . . . . . . . . .  16
   Appendix A.  Invalid Encodings  . . . . . . . . . . . . . . . . .  18
   Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . .  19
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  20
        
   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Requirements Terminology  . . . . . . . . . . . . . . . . . .   3
   3.  Curve25519 and Curve448 Algorithm Identifiers . . . . . . . .   3
   4.  Subject Public Key Fields . . . . . . . . . . . . . . . . . .   4
   5.  Key Usage Bits  . . . . . . . . . . . . . . . . . . . . . . .   5
   6.  EdDSA Signatures  . . . . . . . . . . . . . . . . . . . . . .   6
   7.  Private Key Format  . . . . . . . . . . . . . . . . . . . . .   7
   8.  Human-Readable Algorithm Names  . . . . . . . . . . . . . . .   8
   9.  ASN.1 Module  . . . . . . . . . . . . . . . . . . . . . . . .   9
   10. Examples  . . . . . . . . . . . . . . . . . . . . . . . . . .  11
     10.1.  Example Ed25519 Public Key . . . . . . . . . . . . . . .  11
     10.2.  Example X25519 Certificate . . . . . . . . . . . . . . .  12
     10.3.  Examples of Ed25519 Private Key  . . . . . . . . . . . .  14
   11. IANA Considerations . . . . . . . . . . . . . . . . . . . . .  15
   12. Security Considerations . . . . . . . . . . . . . . . . . . .  15
   13. References  . . . . . . . . . . . . . . . . . . . . . . . . .  16
     13.1.  Normative References . . . . . . . . . . . . . . . . . .  16
     13.2.  Informative References . . . . . . . . . . . . . . . . .  16
   Appendix A.  Invalid Encodings  . . . . . . . . . . . . . . . . .  18
   Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . .  19
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  20
        
1. Introduction
1. 介绍

In [RFC7748], the elliptic curves curve25519 and curve448 are described. They are designed with performance and security in mind. The curves may be used for Diffie-Hellman and digital signature operations.

[RFC7748]中描述了椭圆曲线curve25519和curve448。它们的设计考虑了性能和安全性。这些曲线可用于Diffie-Hellman和数字签名操作。

[RFC7748] describes the operations on these curves for the Diffie-Hellman operation. A convention has developed that when these two curves are used with the Diffie-Hellman operation, they are referred to as X25519 and X448. This RFC defines the ASN.1 Object Identifiers (OIDs) for the operations X25519 and X448 along with the associated parameters. The use of these OIDs is described for public and private keys.

[RFC7748]描述了Diffie-Hellman操作在这些曲线上的操作。当这两条曲线与Diffie-Hellman操作一起使用时,它们被称为X25519和X448。此RFC为操作X25519和X448以及相关参数定义ASN.1对象标识符(OID)。这些OID的使用描述为公钥和私钥。

In [RFC8032] the elliptic curve signature system Edwards-curve Digital Signature Algorithm (EdDSA) is described along with a recommendation for the use of the curve25519 and curve448. EdDSA has defined two modes: the PureEdDSA mode without prehashing and the HashEdDSA mode with prehashing. The convention used for identifying the algorithm/curve combinations is to use "Ed25519" and "Ed448" for the PureEdDSA mode. This document does not provide the conventions

[RFC8032]中描述了椭圆曲线签名系统爱德华兹曲线数字签名算法(EdDSA),并推荐使用curve25519和curve448。EdDSA定义了两种模式:不带预灰化的PureEdDSA模式和带预灰化的HashEdDSA模式。用于识别算法/曲线组合的惯例是在PureEdDSA模式中使用“Ed25519”和“Ed448”。本文件不提供公约

needed for the prehash versions of the signature algorithm. The use of the OIDs is described for public keys, private keys and signatures.

签名算法的预灰化版本需要。OID的使用描述为公钥、私钥和签名。

[RFC8032] additionally defines the concept of a context. Contexts can be used to differentiate signatures generated for different purposes with the same key. The use of contexts is not defined in this document for the following reasons:

[RFC8032]还定义了上下文的概念。上下文可用于区分使用同一密钥为不同目的生成的签名。由于以下原因,本文件未定义上下文的使用:

o The current implementations of Ed25519 do not support the use of contexts; thus, if specified, it will potentially delay the use of these algorithms further.

o Ed25519的当前实现不支持使用上下文;因此,如果指定,可能会进一步延迟这些算法的使用。

o EdDSA is the only IETF algorithm that currently supports the use of contexts; however, there is a possibility that there will be confusion between which algorithms need to have separate keys and which do not. This may result in a decrease of security for those other algorithms.

o EdDSA是目前唯一支持使用上下文的IETF算法;但是,可能会混淆哪些算法需要有单独的密钥,哪些不需要。这可能会导致其他算法的安全性降低。

o There are still ongoing discussions among the cryptographic community about how effective the use of contexts is for preventing attacks.

o 密码学界仍在讨论如何有效地利用上下文来防止攻击。

o There needs to be discussions about the correct way to identify when context strings are to be used. It is not clear if different OIDs should be used for different contexts or the OID should merely note that a context string needs to be provided.

o 需要讨论确定何时使用上下文字符串的正确方法。不清楚是应该为不同的上下文使用不同的OID,还是OID应该只注意需要提供上下文字符串。

2. Requirements Terminology
2. 需求术语

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.

本文件中的关键词“必须”、“不得”、“必需”、“应”、“不应”、“建议”、“不建议”、“可”和“可选”在所有大写字母出现时(如图所示)应按照BCP 14[RFC2119][RFC8174]所述进行解释。

3. Curve25519 and Curve448 Algorithm Identifiers
3. Curve25519和Curve448算法标识符

Certificates conforming to [RFC5280] can convey a public key for any public key algorithm. The certificate indicates the algorithm through an algorithm identifier. An algorithm identifier consists of an OID and optional parameters.

符合[RFC5280]的证书可以传送任何公钥算法的公钥。证书通过算法标识符指示算法。算法标识符由OID和可选参数组成。

The AlgorithmIdentifier type, which is included for convenience, is defined as follows:

为方便起见包括的算法标识符类型定义如下:

   AlgorithmIdentifier  ::=  SEQUENCE  {
       algorithm   OBJECT IDENTIFIER,
       parameters  ANY DEFINED BY algorithm OPTIONAL
   }
        
   AlgorithmIdentifier  ::=  SEQUENCE  {
       algorithm   OBJECT IDENTIFIER,
       parameters  ANY DEFINED BY algorithm OPTIONAL
   }
        

The fields in AlgorithmIdentifier have the following meanings:

AlgorithmIdentifier中的字段具有以下含义:

o algorithm identifies the cryptographic algorithm with an object identifier. Four such OIDs are defined below.

o 算法使用对象标识符标识加密算法。下面定义了四个此类OID。

o parameters, which are optional, are the associated parameters for the algorithm identifier in the algorithm field.

o 可选参数是算法字段中算法标识符的关联参数。

In this document, we define four new OIDs for identifying the different curve/algorithm pairs: the curves being curve25519 and curve448 and the algorithms being ECDH and EdDSA in pure mode. For all of the OIDs, the parameters MUST be absent.

在本文中,我们定义了四个新的OID来识别不同的曲线/算法对:曲线为curve25519和curve448,算法为纯模式下的ECDH和EdDSA。对于所有OID,必须缺少参数。

It is possible to find systems that require the parameters to be present. This can be due to either a defect in the original 1997 syntax or a programming error where developers never got input where this was not true. The optimal solution is to fix these systems; where this is not possible, the problem needs to be restricted to that subsystem and not propagated to the Internet.

可以找到需要提供参数的系统。这可能是由于1997年的原始语法存在缺陷,或者是由于编程错误,开发人员从未获得不正确的输入。最佳解决方案是修复这些系统;如果不可能,则需要将问题限制在该子系统上,而不是传播到Internet。

The same algorithm identifiers are used for identifying a public key, a private key, and a signature (for the two EdDSA related OIDs). Additional encoding information is provided below for each of these locations.

相同的算法标识符用于标识公钥、私钥和签名(用于两个EdDSA相关OID)。下面提供了每个位置的其他编码信息。

   id-X25519    OBJECT IDENTIFIER ::= { 1 3 101 110 }
   id-X448      OBJECT IDENTIFIER ::= { 1 3 101 111 }
   id-Ed25519   OBJECT IDENTIFIER ::= { 1 3 101 112 }
   id-Ed448     OBJECT IDENTIFIER ::= { 1 3 101 113 }
        
   id-X25519    OBJECT IDENTIFIER ::= { 1 3 101 110 }
   id-X448      OBJECT IDENTIFIER ::= { 1 3 101 111 }
   id-Ed25519   OBJECT IDENTIFIER ::= { 1 3 101 112 }
   id-Ed448     OBJECT IDENTIFIER ::= { 1 3 101 113 }
        
4. Subject Public Key Fields
4. 主题公钥字段

In the X.509 certificate, the subjectPublicKeyInfo field has the SubjectPublicKeyInfo type, which has the following ASN.1 syntax:

在X.509证书中,subjectPublicKeyInfo字段具有subjectPublicKeyInfo类型,该类型具有以下ASN.1语法:

   SubjectPublicKeyInfo  ::=  SEQUENCE  {
       algorithm         AlgorithmIdentifier,
       subjectPublicKey  BIT STRING
   }
        
   SubjectPublicKeyInfo  ::=  SEQUENCE  {
       algorithm         AlgorithmIdentifier,
       subjectPublicKey  BIT STRING
   }
        

The fields in SubjectPublicKeyInfo have the following meanings:

SubjectPublicKeyInfo中的字段具有以下含义:

o algorithm is the algorithm identifier and parameters for the public key (see above).

o algorithm是公钥的算法标识符和参数(见上文)。

o subjectPublicKey contains the byte stream of the public key. The algorithms defined in this document always encode the public key as an exact multiple of 8 bits.

o subjectPublicKey包含公钥的字节流。本文档中定义的算法始终将公钥编码为8位的精确倍数。

Both [RFC7748] and [RFC8032] define the public key value as being a byte string. It should be noted that the public key is computed differently for each of these documents; thus, the same private key will not produce the same public key.

[RFC7748]和[RFC8032]都将公钥值定义为字节字符串。应当注意,对于这些文档中的每一个,公钥的计算是不同的;因此,相同的私钥不会产生相同的公钥。

The following is an example of a public key encoded using the textual encoding defined in [RFC7468].

以下是使用[RFC7468]中定义的文本编码进行编码的公钥示例。

   -----BEGIN PUBLIC KEY-----
   MCowBQYDK2VwAyEAGb9ECWmEzf6FQbrBZ9w7lshQhqowtrbLDFw4rXAxZuE=
   -----END PUBLIC KEY-----
        
   -----BEGIN PUBLIC KEY-----
   MCowBQYDK2VwAyEAGb9ECWmEzf6FQbrBZ9w7lshQhqowtrbLDFw4rXAxZuE=
   -----END PUBLIC KEY-----
        
5. Key Usage Bits
5. 密钥使用位

The intended application for the key is indicated in the keyUsage certificate extension.

密钥的预期应用在密钥使用证书扩展中指明。

If the keyUsage extension is present in a certificate that indicates id-X25519 or id-X448 in SubjectPublicKeyInfo, then the following MUST be present:

如果在SubjectPublicKeyInfo中指示id-X25519或id-X448的证书中存在keyUsage扩展名,则必须存在以下内容:

keyAgreement;

关键协议;

one of the following MAY also be present:

也可能出现以下情况之一:

encipherOnly; or decipherOnly.

仅加密;或者仅仅是破译。

If the keyUsage extension is present in an end-entity certificate that indicates id-Ed25519 or id-Ed448, then the keyUsage extension MUST contain one or both of the following values:

如果指示id-Ed25519或id-Ed448的最终实体证书中存在keyUsage扩展,则keyUsage扩展必须包含以下一个或两个值:

nonRepudiation; and digitalSignature.

不否认;和数字签名。

If the keyUsage extension is present in a certification authority certificate that indicates id-Ed25519 or id-Ed448, then the keyUsage extension MUST contain one or more of the following values:

如果证书颁发机构证书中存在指示id-Ed25519或id-Ed448的keyUsage扩展,则keyUsage扩展必须包含以下一个或多个值:

          nonRepudiation;
          digitalSignature;
          keyCertSign; and
          cRLSign.
        
          nonRepudiation;
          digitalSignature;
          keyCertSign; and
          cRLSign.
        
6. EdDSA Signatures
6. EdDSA签名

Signatures can be placed in a number of different ASN.1 structures. The top level structure for a certificate is given below as being illustrative of how signatures are frequently encoded with an algorithm identifier and a location for the signature.

签名可以放在许多不同的ASN.1结构中。下面给出了证书的顶层结构,以说明如何使用算法标识符和签名位置对签名进行频繁编码。

      Certificate  ::=  SEQUENCE  {
           tbsCertificate       TBSCertificate,
           signatureAlgorithm   AlgorithmIdentifier,
           signatureValue       BIT STRING  }
        
      Certificate  ::=  SEQUENCE  {
           tbsCertificate       TBSCertificate,
           signatureAlgorithm   AlgorithmIdentifier,
           signatureValue       BIT STRING  }
        

The same algorithm identifiers are used for signatures as are used for public keys. When used to identify signature algorithms, the parameters MUST be absent.

签名使用的算法标识符与公钥使用的算法标识符相同。当用于识别签名算法时,参数必须不存在。

The data to be signed is prepared for EdDSA. Then, a private key operation is performed to generate the signature value. This value is the opaque value ENC(R) || ENC(S) described in Section 3.3 of [RFC8032]. The octet string representing the signature is encoded directly in the BIT STRING without adding any additional ASN.1 wrapping. For the Certificate structure, the signature value is wrapped in the "signatureValue" BIT STRING field.

待签名的数据为EdDSA准备。然后,执行私钥操作以生成签名值。该值为[RFC8032]第3.3节中描述的不透明值ENC(R)| ENC(S)。表示签名的八位字节字符串直接编码在位字符串中,而不添加任何额外的ASN.1包装。对于证书结构,签名值包装在“signatureValue”位字符串字段中。

7. Private Key Format
7. 私钥格式

"Asymmetric Key Packages" [RFC5958] describes how to encode a private key in a structure that both identifies what algorithm the private key is for and allows for the public key and additional attributes about the key to be included as well. For illustration, the ASN.1 structure OneAsymmetricKey is replicated below. The algorithm-specific details of how a private key is encoded are left for the document describing the algorithm itself.

“非对称密钥包”[RFC5958]描述了如何在一种结构中对私钥进行编码,该结构既能识别私钥用于什么算法,又能允许公钥和有关密钥的附加属性被包括在内。为了便于说明,下面复制了ASN.1结构OneAsymmetricKey。关于私钥编码方式的特定于算法的详细信息留给描述算法本身的文档。

   OneAsymmetricKey ::= SEQUENCE {
      version Version,
      privateKeyAlgorithm PrivateKeyAlgorithmIdentifier,
      privateKey PrivateKey,
      attributes [0] IMPLICIT Attributes OPTIONAL,
      ...,
      [[2: publicKey [1] IMPLICIT PublicKey OPTIONAL ]],
      ...
   }
        
   OneAsymmetricKey ::= SEQUENCE {
      version Version,
      privateKeyAlgorithm PrivateKeyAlgorithmIdentifier,
      privateKey PrivateKey,
      attributes [0] IMPLICIT Attributes OPTIONAL,
      ...,
      [[2: publicKey [1] IMPLICIT PublicKey OPTIONAL ]],
      ...
   }
        
   PrivateKey ::= OCTET STRING
        
   PrivateKey ::= OCTET STRING
        
   PublicKey ::= BIT STRING
        
   PublicKey ::= BIT STRING
        

For the keys defined in this document, the private key is always an opaque byte sequence. The ASN.1 type CurvePrivateKey is defined in this document to hold the byte sequence. Thus, when encoding a OneAsymmetricKey object, the private key is wrapped in a CurvePrivateKey object and wrapped by the OCTET STRING of the "privateKey" field.

对于本文档中定义的密钥,私钥始终是不透明的字节序列。ASN.1类型CurvePrivateKey在本文档中定义用于保存字节序列。因此,当编码OneAsymmetricKey对象时,私钥被包装在CurvePrivateKey对象中,并被“privateKey”字段的八位字符串包装。

   CurvePrivateKey ::= OCTET STRING
        
   CurvePrivateKey ::= OCTET STRING
        

To encode an EdDSA, X25519, or X448 private key, the "privateKey" field will hold the encoded private key. The "privateKeyAlgorithm" field uses the AlgorithmIdentifier structure. The structure is encoded as defined above. If present, the "publicKey" field will hold the encoded key as defined in [RFC7748] and [RFC8032].

要对EdDSA、X25519或X448私钥进行编码,“privateKey”字段将保存编码的私钥。“privateKeyAlgorithm”字段使用AlgorithmIdentifier结构。该结构按照上述定义进行编码。如果存在,“公钥”字段将保存[RFC7748]和[RFC8032]中定义的编码密钥。

The following is an example of a private key encoded using the textual encoding defined in [RFC7468].

以下是使用[RFC7468]中定义的文本编码编码的私钥示例。

   -----BEGIN PRIVATE KEY-----
   MC4CAQAwBQYDK2VwBCIEINTuctv5E1hK1bbY8fdp+K06/nwoy/HU++CXqI9EdVhC
   -----END PRIVATE KEY-----
        
   -----BEGIN PRIVATE KEY-----
   MC4CAQAwBQYDK2VwBCIEINTuctv5E1hK1bbY8fdp+K06/nwoy/HU++CXqI9EdVhC
   -----END PRIVATE KEY-----
        

The following example, in addition to encoding the private key, has an attribute included as well as the public key. As with the prior example, the textual encoding defined in [RFC7468] is used.

下面的示例除了对私钥进行编码外,还包括一个属性和公钥。与前面的示例一样,使用[RFC7468]中定义的文本编码。

   -----BEGIN PRIVATE KEY-----
   MHICAQEwBQYDK2VwBCIEINTuctv5E1hK1bbY8fdp+K06/nwoy/HU++CXqI9EdVhC
   oB8wHQYKKoZIhvcNAQkJFDEPDA1DdXJkbGUgQ2hhaXJzgSEAGb9ECWmEzf6FQbrB
   Z9w7lshQhqowtrbLDFw4rXAxZuE=
   -----END PRIVATE KEY------
        
   -----BEGIN PRIVATE KEY-----
   MHICAQEwBQYDK2VwBCIEINTuctv5E1hK1bbY8fdp+K06/nwoy/HU++CXqI9EdVhC
   oB8wHQYKKoZIhvcNAQkJFDEPDA1DdXJkbGUgQ2hhaXJzgSEAGb9ECWmEzf6FQbrB
   Z9w7lshQhqowtrbLDFw4rXAxZuE=
   -----END PRIVATE KEY------
        

NOTE: There exist some private key import functions that have not picked up the new ASN.1 structure OneAsymmetricKey that is defined in [RFC7748]. This means that they will not accept a private key structure that contains the public key field. This means a balancing act needs to be done between being able to do a consistency check on the key pair and widest ability to import the key.

注意:存在一些私钥导入函数,这些函数尚未获取[RFC7748]中定义的新ASN.1结构OneAsymmetricKey。这意味着它们将不接受包含公钥字段的私钥结构。这意味着需要在能够对密钥对进行一致性检查和最广泛地导入密钥之间进行平衡。

8. Human-Readable Algorithm Names
8. 人类可读的算法名称

For the purpose of consistent cross-implementation naming, this section establishes human-readable names for the algorithms specified in this document. Implementations SHOULD use these names when referring to the algorithms. If there is a strong reason to deviate from these names -- for example, if the implementation has a different naming convention and wants to maintain internal consistency -- it is encouraged to deviate as little as possible from the names given here.

为了实现一致的交叉实现命名,本节为本文档中指定的算法建立了人类可读的名称。实现在引用算法时应该使用这些名称。如果有充分的理由偏离这些名称(例如,如果实现具有不同的命名约定并希望保持内部一致性),则鼓励尽可能少地偏离此处给出的名称。

Use the string "ECDH" when referring to a public key of type "X25519" or "X448" when the curve is not known or relevant.

当曲线未知或不相关时,引用“X25519”或“X448”类型的公钥时,使用字符串“ECDH”。

When the curve is known, use the more specific string of "X25519" or "X448".

已知曲线时,使用更具体的字符串“X25519”或“X448”。

Use the string "EdDSA" when referring to a signing public key or signature when the curve is not known or relevant.

当引用签名公钥或曲线未知或不相关时,使用字符串“EdDSA”。

When the curve is known, use a more specific string. For the id-Ed25519 value use the string "Ed25519". For id-Ed448, use "Ed448".

当曲线已知时,使用更具体的字符串。对于id-Ed25519值,使用字符串“Ed25519”。对于id-Ed448,使用“Ed448”。

9. ASN.1 Module
9. ASN.1模块

For reference purposes, the ASN.1 syntax is presented as an ASN.1 module here.

出于参考目的,ASN.1语法在这里作为ASN.1模块提供。

-- ASN.1 Module

--ASN.1模块

   Safecurves-pkix-18
   { iso(1) identified-organization(3) dod(6) internet(1)
     security(5) mechanisms(5) pkix(7) id-mod(0)
     id-mod-safecurves-pkix(93) }
        
   Safecurves-pkix-18
   { iso(1) identified-organization(3) dod(6) internet(1)
     security(5) mechanisms(5) pkix(7) id-mod(0)
     id-mod-safecurves-pkix(93) }
        
   DEFINITIONS EXPLICIT TAGS ::=
   BEGIN
        
   DEFINITIONS EXPLICIT TAGS ::=
   BEGIN
        
   IMPORTS
     SIGNATURE-ALGORITHM, KEY-AGREE, PUBLIC-KEY, KEY-WRAP,
     KeyUsage, AlgorithmIdentifier
     FROM AlgorithmInformation-2009
       {iso(1) identified-organization(3) dod(6) internet(1) security(5)
       mechanisms(5) pkix(7) id-mod(0)
       id-mod-algorithmInformation-02(58)}
        
   IMPORTS
     SIGNATURE-ALGORITHM, KEY-AGREE, PUBLIC-KEY, KEY-WRAP,
     KeyUsage, AlgorithmIdentifier
     FROM AlgorithmInformation-2009
       {iso(1) identified-organization(3) dod(6) internet(1) security(5)
       mechanisms(5) pkix(7) id-mod(0)
       id-mod-algorithmInformation-02(58)}
        
     mda-sha512
     FROM PKIX1-PSS-OAEP-Algorithms-2009
       { iso(1) identified-organization(3) dod(6) internet(1)
         security(5) mechanisms(5) pkix(7) id-mod(0)
         id-mod-pkix1-rsa-pkalgs-02(54) }
        
     mda-sha512
     FROM PKIX1-PSS-OAEP-Algorithms-2009
       { iso(1) identified-organization(3) dod(6) internet(1)
         security(5) mechanisms(5) pkix(7) id-mod(0)
         id-mod-pkix1-rsa-pkalgs-02(54) }
        
     kwa-aes128-wrap, kwa-aes256-wrap
     FROM CMSAesRsaesOaep-2009
       { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
         smime(16) modules(0) id-mod-cms-aes-02(38) }
     ;
        
     kwa-aes128-wrap, kwa-aes256-wrap
     FROM CMSAesRsaesOaep-2009
       { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
         smime(16) modules(0) id-mod-cms-aes-02(38) }
     ;
        
   id-edwards-curve-algs OBJECT IDENTIFIER ::= { 1 3 101 }
        
   id-edwards-curve-algs OBJECT IDENTIFIER ::= { 1 3 101 }
        
   id-X25519        OBJECT IDENTIFIER ::= { id-edwards-curve-algs 110 }
   id-X448          OBJECT IDENTIFIER ::= { id-edwards-curve-algs 111 }
   id-Ed25519       OBJECT IDENTIFIER ::= { id-edwards-curve-algs 112 }
   id-Ed448         OBJECT IDENTIFIER ::= { id-edwards-curve-algs 113 }
        
   id-X25519        OBJECT IDENTIFIER ::= { id-edwards-curve-algs 110 }
   id-X448          OBJECT IDENTIFIER ::= { id-edwards-curve-algs 111 }
   id-Ed25519       OBJECT IDENTIFIER ::= { id-edwards-curve-algs 112 }
   id-Ed448         OBJECT IDENTIFIER ::= { id-edwards-curve-algs 113 }
        
    sa-Ed25519 SIGNATURE-ALGORITHM ::= {
       IDENTIFIER id-Ed25519
        PARAMS ARE absent
        PUBLIC-KEYS {pk-Ed25519}
        SMIME-CAPS { IDENTIFIED BY id-Ed25519 }
    }
        
    sa-Ed25519 SIGNATURE-ALGORITHM ::= {
       IDENTIFIER id-Ed25519
        PARAMS ARE absent
        PUBLIC-KEYS {pk-Ed25519}
        SMIME-CAPS { IDENTIFIED BY id-Ed25519 }
    }
        
    pk-Ed25519 PUBLIC-KEY ::= {
        IDENTIFIER id-Ed25519
        -- KEY no ASN.1 wrapping --
        PARAMS ARE absent
        CERT-KEY-USAGE {digitalSignature, nonRepudiation,
                        keyCertSign, cRLSign}
        PRIVATE-KEY CurvePrivateKey
    }
        
    pk-Ed25519 PUBLIC-KEY ::= {
        IDENTIFIER id-Ed25519
        -- KEY no ASN.1 wrapping --
        PARAMS ARE absent
        CERT-KEY-USAGE {digitalSignature, nonRepudiation,
                        keyCertSign, cRLSign}
        PRIVATE-KEY CurvePrivateKey
    }
        
    kaa-X25519 KEY-AGREE ::= {
        IDENTIFIER id-X25519
        PARAMS ARE absent
        PUBLIC-KEYS {pk-X25519}
        UKM -- TYPE no ASN.1 wrapping -- ARE preferredPresent
        SMIME-CAPS {
           TYPE AlgorithmIdentifier{KEY-WRAP, {KeyWrapAlgorithms}}
           IDENTIFIED BY id-X25519 }
    }
        
    kaa-X25519 KEY-AGREE ::= {
        IDENTIFIER id-X25519
        PARAMS ARE absent
        PUBLIC-KEYS {pk-X25519}
        UKM -- TYPE no ASN.1 wrapping -- ARE preferredPresent
        SMIME-CAPS {
           TYPE AlgorithmIdentifier{KEY-WRAP, {KeyWrapAlgorithms}}
           IDENTIFIED BY id-X25519 }
    }
        
    pk-X25519 PUBLIC-KEY ::= {
        IDENTIFIER id-X25519
        -- KEY no ASN.1 wrapping --
        PARAMS ARE absent
        CERT-KEY-USAGE { keyAgreement }
        PRIVATE-KEY CurvePrivateKey
    }
        
    pk-X25519 PUBLIC-KEY ::= {
        IDENTIFIER id-X25519
        -- KEY no ASN.1 wrapping --
        PARAMS ARE absent
        CERT-KEY-USAGE { keyAgreement }
        PRIVATE-KEY CurvePrivateKey
    }
        
    KeyWrapAlgorithms KEY-WRAP ::= {
        kwa-aes128-wrap | kwa-aes256-wrap,
        ...
    }
        
    KeyWrapAlgorithms KEY-WRAP ::= {
        kwa-aes128-wrap | kwa-aes256-wrap,
        ...
    }
        
    kaa-X448 KEY-AGREE ::= {
        IDENTIFIER id-X448
        PARAMS ARE absent
        PUBLIC-KEYS {pk-X448}
        UKM -- TYPE no ASN.1 wrapping  -- ARE preferredPresent
        SMIME-CAPS {
           TYPE AlgorithmIdentifier{KEY-WRAP, {KeyWrapAlgorithms}}
           IDENTIFIED BY id-X448 }
    }
        
    kaa-X448 KEY-AGREE ::= {
        IDENTIFIER id-X448
        PARAMS ARE absent
        PUBLIC-KEYS {pk-X448}
        UKM -- TYPE no ASN.1 wrapping  -- ARE preferredPresent
        SMIME-CAPS {
           TYPE AlgorithmIdentifier{KEY-WRAP, {KeyWrapAlgorithms}}
           IDENTIFIED BY id-X448 }
    }
        
    pk-X448 PUBLIC-KEY ::= {
        IDENTIFIER id-X448
        -- KEY no ASN.1 wrapping --
        PARAMS ARE absent
        CERT-KEY-USAGE { keyAgreement }
        PRIVATE-KEY CurvePrivateKey
    }
        
    pk-X448 PUBLIC-KEY ::= {
        IDENTIFIER id-X448
        -- KEY no ASN.1 wrapping --
        PARAMS ARE absent
        CERT-KEY-USAGE { keyAgreement }
        PRIVATE-KEY CurvePrivateKey
    }
        
   CurvePrivateKey ::= OCTET STRING
        
   CurvePrivateKey ::= OCTET STRING
        

END

终止

10. Examples
10. 例子

This section contains illustrations of EdDSA public keys and certificates, illustrating parameter choices.

本节包含EdDSA公钥和证书的说明,说明参数选择。

10.1. Example Ed25519 Public Key
10.1. 示例Ed25519公钥

An example of an Ed25519 public key:

Ed25519公钥的一个示例:

Public Key Information: Public Key Algorithm: Ed25519 Algorithm Security Level: High

公钥信息:公钥算法:Ed25519算法安全级别:高

Public Key Usage:

公钥使用:

         Public Key ID: 9b1f5eeded043385e4f7bc623c5975b90bc8bb3b
        
         Public Key ID: 9b1f5eeded043385e4f7bc623c5975b90bc8bb3b
        
         -----BEGIN PUBLIC KEY-----
         MCowBQYDK2VwAyEAGb9ECWmEzf6FQbrBZ9w7lshQhqowtrbLDFw4rXAxZuE=
         -----END PUBLIC KEY-----
        
         -----BEGIN PUBLIC KEY-----
         MCowBQYDK2VwAyEAGb9ECWmEzf6FQbrBZ9w7lshQhqowtrbLDFw4rXAxZuE=
         -----END PUBLIC KEY-----
        
10.2. Example X25519 Certificate
10.2. 示例X25519证书

An example of a self-issued PKIX certificate using Ed25519 to sign an X25519 public key would be:

使用Ed25519对X25519公钥进行签名的自颁发PKIX证书示例如下:

     0 300: SEQUENCE {
     4 223:   SEQUENCE {
     7   3:     [0] {
     9   1:       INTEGER 2
          :       }
    12   8:     INTEGER 56 01 47 4A 2A 8D C3 30
    22   5:     SEQUENCE {
    24   3:       OBJECT IDENTIFIER
          :         Ed 25519 signature algorithm { 1 3 101 112 }
          :       }
    29  25:     SEQUENCE {
    31  23:       SET {
    33  21:         SEQUENCE {
    35   3:           OBJECT IDENTIFIER commonName (2 5 4 3)
    40  14:           UTF8String 'IETF Test Demo'
          :           }
          :         }
          :       }
    56  30:     SEQUENCE {
    58  13:       UTCTime 01/08/2016 12:19:24 GMT
    73  13:       UTCTime 31/12/2040 23:59:59 GMT
          :       }
    88  25:     SEQUENCE {
    90  23:       SET {
    92  21:         SEQUENCE {
    94   3:           OBJECT IDENTIFIER commonName (2 5 4 3)
    99  14:           UTF8String 'IETF Test Demo'
          :           }
          :         }
          :       }
   115  42:     SEQUENCE {
   117   5:       SEQUENCE {
   119   3:         OBJECT IDENTIFIER
          :           ECDH 25519 key agreement { 1 3 101 110 }
          :         }
   124  33:       BIT STRING
          :         85 20 F0 09 89 30 A7 54 74 8B 7D DC B4 3E F7 5A
          :         0D BF 3A 0D 26 38 1A F4 EB A4 A9 8E AA 9B 4E 6A
          :       }
   159  69:     [3] {
   161  67:       SEQUENCE {
   163  15:         SEQUENCE {
   165   3:           OBJECT IDENTIFIER basicConstraints (2 5 29 19)
        
     0 300: SEQUENCE {
     4 223:   SEQUENCE {
     7   3:     [0] {
     9   1:       INTEGER 2
          :       }
    12   8:     INTEGER 56 01 47 4A 2A 8D C3 30
    22   5:     SEQUENCE {
    24   3:       OBJECT IDENTIFIER
          :         Ed 25519 signature algorithm { 1 3 101 112 }
          :       }
    29  25:     SEQUENCE {
    31  23:       SET {
    33  21:         SEQUENCE {
    35   3:           OBJECT IDENTIFIER commonName (2 5 4 3)
    40  14:           UTF8String 'IETF Test Demo'
          :           }
          :         }
          :       }
    56  30:     SEQUENCE {
    58  13:       UTCTime 01/08/2016 12:19:24 GMT
    73  13:       UTCTime 31/12/2040 23:59:59 GMT
          :       }
    88  25:     SEQUENCE {
    90  23:       SET {
    92  21:         SEQUENCE {
    94   3:           OBJECT IDENTIFIER commonName (2 5 4 3)
    99  14:           UTF8String 'IETF Test Demo'
          :           }
          :         }
          :       }
   115  42:     SEQUENCE {
   117   5:       SEQUENCE {
   119   3:         OBJECT IDENTIFIER
          :           ECDH 25519 key agreement { 1 3 101 110 }
          :         }
   124  33:       BIT STRING
          :         85 20 F0 09 89 30 A7 54 74 8B 7D DC B4 3E F7 5A
          :         0D BF 3A 0D 26 38 1A F4 EB A4 A9 8E AA 9B 4E 6A
          :       }
   159  69:     [3] {
   161  67:       SEQUENCE {
   163  15:         SEQUENCE {
   165   3:           OBJECT IDENTIFIER basicConstraints (2 5 29 19)
        
   170   1:           BOOLEAN TRUE
   173   5:           OCTET STRING, encapsulates {
   175   3:             SEQUENCE {
   177   1:               BOOLEAN FALSE
          :               }
          :             }
          :           }
   180  14:         SEQUENCE {
   182   3:           OBJECT IDENTIFIER keyUsage (2 5 29 15)
   187   1:           BOOLEAN FALSE
   190   4:           OCTET STRING, encapsulates {
   192   2:             BIT STRING 3 unused bits
          :               '10000'B (bit 4)
          :             }
          :           }
   196  32:         SEQUENCE {
   198   3:           OBJECT IDENTIFIER subjectKeyIdentifier (2 5 29 14)
   203   1:           BOOLEAN FALSE
   206  22:           OCTET STRING, encapsulates {
   208  20:             OCTET STRING
          :               9B 1F 5E ED ED 04 33 85 E4 F7 BC 62 3C 59 75
          :               B9 0B C8 BB 3B
          :             }
          :           }
          :         }
          :       }
          :     }
   230   5:   SEQUENCE {
   232   3:     OBJECT IDENTIFIER
          :       Ed 25519 signature algorithm { 1 3 101 112 }
          :     }
   237  65:   BIT STRING
          :     AF 23 01 FE DD C9 E6 FF C1 CC A7 3D 74 D6 48 A4
          :     39 80 82 CD DB 69 B1 4E 4D 06 EC F8 1A 25 CE 50
          :     D4 C2 C3 EB 74 6C 4E DD 83 46 85 6E C8 6F 3D CE
          :     1A 18 65 C5 7A C2 7B 50 A0 C3 50 07 F5 E7 D9 07
          :   }
        
   170   1:           BOOLEAN TRUE
   173   5:           OCTET STRING, encapsulates {
   175   3:             SEQUENCE {
   177   1:               BOOLEAN FALSE
          :               }
          :             }
          :           }
   180  14:         SEQUENCE {
   182   3:           OBJECT IDENTIFIER keyUsage (2 5 29 15)
   187   1:           BOOLEAN FALSE
   190   4:           OCTET STRING, encapsulates {
   192   2:             BIT STRING 3 unused bits
          :               '10000'B (bit 4)
          :             }
          :           }
   196  32:         SEQUENCE {
   198   3:           OBJECT IDENTIFIER subjectKeyIdentifier (2 5 29 14)
   203   1:           BOOLEAN FALSE
   206  22:           OCTET STRING, encapsulates {
   208  20:             OCTET STRING
          :               9B 1F 5E ED ED 04 33 85 E4 F7 BC 62 3C 59 75
          :               B9 0B C8 BB 3B
          :             }
          :           }
          :         }
          :       }
          :     }
   230   5:   SEQUENCE {
   232   3:     OBJECT IDENTIFIER
          :       Ed 25519 signature algorithm { 1 3 101 112 }
          :     }
   237  65:   BIT STRING
          :     AF 23 01 FE DD C9 E6 FF C1 CC A7 3D 74 D6 48 A4
          :     39 80 82 CD DB 69 B1 4E 4D 06 EC F8 1A 25 CE 50
          :     D4 C2 C3 EB 74 6C 4E DD 83 46 85 6E C8 6F 3D CE
          :     1A 18 65 C5 7A C2 7B 50 A0 C3 50 07 F5 E7 D9 07
          :   }
        
   -----BEGIN CERTIFICATE-----
   MIIBLDCB36ADAgECAghWAUdKKo3DMDAFBgMrZXAwGTEXMBUGA1UEAwwOSUVURiBUZX
   N0IERlbW8wHhcNMTYwODAxMTIxOTI0WhcNNDAxMjMxMjM1OTU5WjAZMRcwFQYDVQQD
   DA5JRVRGIFRlc3QgRGVtbzAqMAUGAytlbgMhAIUg8AmJMKdUdIt93LQ+91oNvzoNJj
   ga9OukqY6qm05qo0UwQzAPBgNVHRMBAf8EBTADAQEAMA4GA1UdDwEBAAQEAwIDCDAg
   BgNVHQ4BAQAEFgQUmx9e7e0EM4Xk97xiPFl1uQvIuzswBQYDK2VwA0EAryMB/t3J5v
   /BzKc9dNZIpDmAgs3babFOTQbs+BolzlDUwsPrdGxO3YNGhW7Ibz3OGhhlxXrCe1Cg
   w1AH9efZBw==
   -----END CERTIFICATE-----
        
   -----BEGIN CERTIFICATE-----
   MIIBLDCB36ADAgECAghWAUdKKo3DMDAFBgMrZXAwGTEXMBUGA1UEAwwOSUVURiBUZX
   N0IERlbW8wHhcNMTYwODAxMTIxOTI0WhcNNDAxMjMxMjM1OTU5WjAZMRcwFQYDVQQD
   DA5JRVRGIFRlc3QgRGVtbzAqMAUGAytlbgMhAIUg8AmJMKdUdIt93LQ+91oNvzoNJj
   ga9OukqY6qm05qo0UwQzAPBgNVHRMBAf8EBTADAQEAMA4GA1UdDwEBAAQEAwIDCDAg
   BgNVHQ4BAQAEFgQUmx9e7e0EM4Xk97xiPFl1uQvIuzswBQYDK2VwA0EAryMB/t3J5v
   /BzKc9dNZIpDmAgs3babFOTQbs+BolzlDUwsPrdGxO3YNGhW7Ibz3OGhhlxXrCe1Cg
   w1AH9efZBw==
   -----END CERTIFICATE-----
        
10.3. Examples of Ed25519 Private Key
10.3. Ed25519私钥示例

An example of an Ed25519 private key without the public key:

没有公钥的Ed25519私钥示例:

   -----BEGIN PRIVATE KEY-----
   MC4CAQAwBQYDK2VwBCIEINTuctv5E1hK1bbY8fdp+K06/nwoy/HU++CXqI9EdVhC
   -----END PRIVATE KEY-----
        
   -----BEGIN PRIVATE KEY-----
   MC4CAQAwBQYDK2VwBCIEINTuctv5E1hK1bbY8fdp+K06/nwoy/HU++CXqI9EdVhC
   -----END PRIVATE KEY-----
        

The same item dumped as ASN.1 yields:

与ASN.1倾倒的相同物品产生:

    0 30   46: SEQUENCE {
    2 02    1:   INTEGER 0
    5 30    5:   SEQUENCE {
    7 06    3:     OBJECT IDENTIFIER
             :       Ed 25519 signature algorithm { 1 3 101 112 }
             :     }
   12 04   34:   OCTET STRING
             :     04 20 D4 EE 72 DB F9 13 58 4A D5 B6 D8 F1 F7 69
             :     F8 AD 3A FE 7C 28 CB F1 D4 FB E0 97 A8 8F 44 75
             :     58 42
             :   }
        
    0 30   46: SEQUENCE {
    2 02    1:   INTEGER 0
    5 30    5:   SEQUENCE {
    7 06    3:     OBJECT IDENTIFIER
             :       Ed 25519 signature algorithm { 1 3 101 112 }
             :     }
   12 04   34:   OCTET STRING
             :     04 20 D4 EE 72 DB F9 13 58 4A D5 B6 D8 F1 F7 69
             :     F8 AD 3A FE 7C 28 CB F1 D4 FB E0 97 A8 8F 44 75
             :     58 42
             :   }
        

Note that the value of the private key is:

请注意,私钥的值为:

D4 EE 72 DB F9 13 58 4A D5 B6 D8 F1 F7 69 F8 AD 3A FE 7C 28 CB F1 D4 FB E0 97 A8 8F 44 75 58 42

D4 EE 72 DB F9 13 58 4A D5 B6 D8 F1 F7 69 F8 AD 3A FE 7C 28 CB F1 D4 FB E0 97 A8 8F 44 75 58 42

An example of the same Ed25519 private key encoded with an attribute and the public key:

使用属性和公钥编码的相同Ed25519私钥示例:

   -----BEGIN PRIVATE KEY-----
   MHICAQEwBQYDK2VwBCIEINTuctv5E1hK1bbY8fdp+K06/nwoy/HU++CXqI9EdVhC
   oB8wHQYKKoZIhvcNAQkJFDEPDA1DdXJkbGUgQ2hhaXJzgSEAGb9ECWmEzf6FQbrB
   Z9w7lshQhqowtrbLDFw4rXAxZuE=
   -----END PRIVATE KEY-----
        
   -----BEGIN PRIVATE KEY-----
   MHICAQEwBQYDK2VwBCIEINTuctv5E1hK1bbY8fdp+K06/nwoy/HU++CXqI9EdVhC
   oB8wHQYKKoZIhvcNAQkJFDEPDA1DdXJkbGUgQ2hhaXJzgSEAGb9ECWmEzf6FQbrB
   Z9w7lshQhqowtrbLDFw4rXAxZuE=
   -----END PRIVATE KEY-----
        

The same item dumped as ASN.1 yields:

与ASN.1倾倒的相同物品产生:

     0 114: SEQUENCE {
     2   1:   INTEGER 1
     5   5:   SEQUENCE {
     7   3:     OBJECT IDENTIFIER '1 3 101 112'
          :     }
    12  34:   OCTET STRING, encapsulates {
          :     04 20 D4 EE 72 DB F9 13 58 4A D5 B6 D8 F1 F7 69
          :     F8 AD 3A FE 7C 28 CB F1 D4 FB E0 97 A8 8F 44 75
          :     58 42
          :     }
    48  31:   [0] {
    50  29:     SEQUENCE {
    52  10:       OBJECT IDENTIFIER '1 2 840 113549 1 9 9 20'
    64  15:       SET {
    66  13:         UTF8String 'Curdle Chairs'
          :         }
          :       }
          :     }
   81  33:   [1] 00 19 BF 44 09 69 84 CD FE 85 41 BA C1 67 DC 3B
                 96 C8 50 86 AA 30 B6 B6 CB 0C 5C 38 AD 70 31 66
                 E1
          :   }
        
     0 114: SEQUENCE {
     2   1:   INTEGER 1
     5   5:   SEQUENCE {
     7   3:     OBJECT IDENTIFIER '1 3 101 112'
          :     }
    12  34:   OCTET STRING, encapsulates {
          :     04 20 D4 EE 72 DB F9 13 58 4A D5 B6 D8 F1 F7 69
          :     F8 AD 3A FE 7C 28 CB F1 D4 FB E0 97 A8 8F 44 75
          :     58 42
          :     }
    48  31:   [0] {
    50  29:     SEQUENCE {
    52  10:       OBJECT IDENTIFIER '1 2 840 113549 1 9 9 20'
    64  15:       SET {
    66  13:         UTF8String 'Curdle Chairs'
          :         }
          :       }
          :     }
   81  33:   [1] 00 19 BF 44 09 69 84 CD FE 85 41 BA C1 67 DC 3B
                 96 C8 50 86 AA 30 B6 B6 CB 0C 5C 38 AD 70 31 66
                 E1
          :   }
        
11. IANA Considerations
11. IANA考虑

For the ASN.1 module in Section 9, IANA has registered value 93 for "id-mod-safecurves-pkix" in the "SMI Security for PKIX Module Identifier" (1.3.6.1.5.5.7.0) registry.

对于第9节中的ASN.1模块,IANA在“SMI Security For pkix module Identifier”(1.3.6.1.5.5.7.0)注册表中为“id mod safecurves pkix”注册了值93。

The OIDs are being independently registered in the IANA registry "SMI Security for Cryptographic Algorithms" in [RFC8411].

OID正在[RFC8411]的IANA注册表“加密算法的SMI安全性”中独立注册。

12. Security Considerations
12. 安全考虑

The security considerations of [RFC5280], [RFC7748], and [RFC8032] apply accordingly.

[RFC5280]、[RFC7748]和[RFC8032]的安全注意事项相应适用。

The procedures for going from a private key to a public key are different when used with Diffie-Hellman versus when used with Edwards Signatures. This means that the same public key cannot be used for both ECDH and EdDSA.

与Diffie Hellman和Edwards签名一起使用时,从私钥到公钥的过程不同。这意味着同一公钥不能同时用于ECDH和EdDSA。

13. References
13. 工具书类
13.1. Normative References
13.1. 规范性引用文件

[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, <https://www.rfc-editor.org/info/rfc2119>.

[RFC2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,DOI 10.17487/RFC2119,1997年3月<https://www.rfc-editor.org/info/rfc2119>.

[RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., Housley, R., and W. Polk, "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008, <https://www.rfc-editor.org/info/rfc5280>.

[RFC5280]Cooper,D.,Santesson,S.,Farrell,S.,Boeyen,S.,Housley,R.,和W.Polk,“Internet X.509公钥基础设施证书和证书撤销列表(CRL)配置文件”,RFC 5280,DOI 10.17487/RFC5280,2008年5月<https://www.rfc-editor.org/info/rfc5280>.

[RFC5480] Turner, S., Brown, D., Yiu, K., Housley, R., and T. Polk, "Elliptic Curve Cryptography Subject Public Key Information", RFC 5480, DOI 10.17487/RFC5480, March 2009, <https://www.rfc-editor.org/info/rfc5480>.

[RFC5480]Turner,S.,Brown,D.,Yiu,K.,Housley,R.,和T.Polk,“椭圆曲线加密主题公钥信息”,RFC 5480,DOI 10.17487/RFC5480,2009年3月<https://www.rfc-editor.org/info/rfc5480>.

[RFC5958] Turner, S., "Asymmetric Key Packages", RFC 5958, DOI 10.17487/RFC5958, August 2010, <https://www.rfc-editor.org/info/rfc5958>.

[RFC5958]Turner,S.,“非对称密钥包”,RFC 5958,DOI 10.17487/RFC5958,2010年8月<https://www.rfc-editor.org/info/rfc5958>.

[RFC7748] Langley, A., Hamburg, M., and S. Turner, "Elliptic Curves for Security", RFC 7748, DOI 10.17487/RFC7748, January 2016, <https://www.rfc-editor.org/info/rfc7748>.

[RFC7748]兰利,A.,汉堡,M.和S.特纳,“安全的椭圆曲线”,RFC 7748,DOI 10.17487/RFC7748,2016年1月<https://www.rfc-editor.org/info/rfc7748>.

[RFC8032] Josefsson, S. and I. Liusvaara, "Edwards-Curve Digital Signature Algorithm (EdDSA)", RFC 8032, DOI 10.17487/RFC8032, January 2017, <https://www.rfc-editor.org/info/rfc8032>.

[RFC8032]Josefsson,S.和I.Liusvaara,“爱德华兹曲线数字签名算法(EdDSA)”,RFC 8032,DOI 10.17487/RFC8032,2017年1月<https://www.rfc-editor.org/info/rfc8032>.

[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, <https://www.rfc-editor.org/info/rfc8174>.

[RFC8174]Leiba,B.,“RFC 2119关键词中大写与小写的歧义”,BCP 14,RFC 8174,DOI 10.17487/RFC8174,2017年5月<https://www.rfc-editor.org/info/rfc8174>.

13.2. Informative References
13.2. 资料性引用

[RFC3279] Bassham, L., Polk, W., and R. Housley, "Algorithms and Identifiers for the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", RFC 3279, DOI 10.17487/RFC3279, April 2002, <https://www.rfc-editor.org/info/rfc3279>.

[RFC3279]Bassham,L.,Polk,W.,和R.Housley,“互联网X.509公钥基础设施证书和证书撤销列表(CRL)配置文件的算法和标识符”,RFC 3279,DOI 10.17487/RFC3279,2002年4月<https://www.rfc-editor.org/info/rfc3279>.

[RFC4055] Schaad, J., Kaliski, B., and R. Housley, "Additional Algorithms and Identifiers for RSA Cryptography for use in the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", RFC 4055, DOI 10.17487/RFC4055, June 2005, <https://www.rfc-editor.org/info/rfc4055>.

[RFC4055]Schaad,J.,Kaliski,B.,和R.Housley,“互联网X.509公钥基础设施证书和证书撤销列表(CRL)配置文件中使用的RSA加密的其他算法和标识符”,RFC 4055,DOI 10.17487/RFC4055,2005年6月<https://www.rfc-editor.org/info/rfc4055>.

[RFC5639] Lochter, M. and J. Merkle, "Elliptic Curve Cryptography (ECC) Brainpool Standard Curves and Curve Generation", RFC 5639, DOI 10.17487/RFC5639, March 2010, <https://www.rfc-editor.org/info/rfc5639>.

[RFC5639]Lochter,M.和J.Merkle,“椭圆曲线加密(ECC)大脑池标准曲线和曲线生成”,RFC 5639,DOI 10.17487/RFC5639,2010年3月<https://www.rfc-editor.org/info/rfc5639>.

[RFC7468] Josefsson, S. and S. Leonard, "Textual Encodings of PKIX, PKCS, and CMS Structures", RFC 7468, DOI 10.17487/RFC7468, April 2015, <https://www.rfc-editor.org/info/rfc7468>.

[RFC7468]Josefsson,S.和S.Leonard,“PKIX、PKCS和CMS结构的文本编码”,RFC 7468,DOI 10.17487/RFC7468,2015年4月<https://www.rfc-editor.org/info/rfc7468>.

[RFC8411] Schaad, J. and R. Andrews, "IANA Registration for the Cryptographic Algorithm Object Identifier Range", RFC 8411, DOI 10.17487/RFC8411, August 2018, <http://www.rfc-editor.org/info/rfc8411>.

[RFC8411]Schaad,J.和R.Andrews,“加密算法对象标识符范围的IANA注册”,RFC 8411,DOI 10.17487/RFC8411,2018年8月<http://www.rfc-editor.org/info/rfc8411>.

Appendix A. Invalid Encodings
附录A.无效编码

There are a number of things that need to be dealt with when a new key part is decoded and imported into the system. A partial list of these includes:

当一个新的关键部分被解码并导入到系统中时,有许多事情需要处理。其中部分清单包括:

o ASN.1 encoding errors: Two items are highlighted here. First, the use of an OCTET STRING rather than a BIT STRING for the public key. The use of OCTET STRING was a copy error that existed in a previous draft version of this document; the structure is correct in [RFC5958]. However, any early implementation may have this wrong. Second, the value of the version field is required to be 0 if the publicKey is absent and 1 if present. This is called out in [RFC5958], but was not duplicated above.

o ASN.1编码错误:此处突出显示两项。首先,使用八位字符串而不是位字符串作为公钥。八位字节字符串的使用是本文件先前草稿版本中存在的复制错误;[RFC5958]中的结构是正确的。然而,任何早期的实施都可能有这种错误。其次,如果缺少公钥,则version字段的值必须为0,如果存在,则必须为1。这在[RFC5958]中被调用,但上面没有重复。

o Key encoding errors: Both [RFC7748] and [RFC8032] have formatting requirements for keys that need to be enforced. In some cases, the enforcement is done at the time of importing, for example, doing masking or a mod p operation. In other cases, the enforcement is done by rejecting the keys and having an import failure.

o 密钥编码错误:[RFC7748]和[RFC8032]都对需要强制执行的密钥有格式要求。在某些情况下,强制是在导入时执行的,例如,执行掩蔽或mod p操作。在其他情况下,强制执行是通过拒绝密钥和导入失败来完成的。

o Key mismatch errors: If a public key is provided, it may not agree with the private key because either it is wrong or the wrong algorithm was used.

o 密钥不匹配错误:如果提供了公钥,它可能与私钥不一致,因为它是错误的,或者使用了错误的算法。

Some systems are also going to be stricter on what they accept. As stated in [RFC5958], BER decoding of OneAsymmetricKey objects is a requirement for compliance. Despite this requirement, some acceptors will only decode DER formats. The following is a BER encoding of a private key; it is valid, but it may not be accepted by many systems.

一些系统也将对其接受的内容更加严格。如[RFC5958]所述,OneAsymmetricKey对象的BER解码是合规性要求。尽管有此要求,一些接受者将只解码DER格式。以下是私钥的BER编码;它是有效的,但许多系统可能不接受它。

   -----BEGIN PRIVATE KEY-----
   MIACAQAwgAYDK2VwAAAEIgQg1O5y2/kTWErVttjx92n4rTr+fCjL8dT74Jeoj0R1W
   EIAAA==
   -----END PRIVATE KEY-----
        
   -----BEGIN PRIVATE KEY-----
   MIACAQAwgAYDK2VwAAAEIgQg1O5y2/kTWErVttjx92n4rTr+fCjL8dT74Jeoj0R1W
   EIAAA==
   -----END PRIVATE KEY-----
        

What follows here is a brief sampling of some incorrect keys.

下面是一些错误键的简要示例。

In the following example, the private key does not match the masking requirements for X25519. For this example, the top bits are set to zero and the bottom three bits are set to 001.

在以下示例中,私钥与X25519的屏蔽要求不匹配。对于本例,顶部位设置为零,底部三位设置为001。

   -----BEGIN PRIVATE KEY-----
   MFMCAQEwBQYDK2VuBCIEIPj///////////////////////////////////////8/oS
   MDIQCEfA0sN1I082XmYJVRh6NzWg92E9FgnTpqTYxTrqpaIg==
   -----END PRIVATE KEY-----
        
   -----BEGIN PRIVATE KEY-----
   MFMCAQEwBQYDK2VuBCIEIPj///////////////////////////////////////8/oS
   MDIQCEfA0sN1I082XmYJVRh6NzWg92E9FgnTpqTYxTrqpaIg==
   -----END PRIVATE KEY-----
        

In the following examples, the key is the wrong length because an all-zero byte has been removed. In one case, the first byte has been removed; in the other case, the last byte has been removed.

在以下示例中,键的长度错误,因为已删除一个全零字节。在一种情况下,第一个字节已被删除;在另一种情况下,最后一个字节已被删除。

   -----BEGIN PRIVATE KEY-----
   MFICAQEwBQYDK2VwBCIEIC3GfeUYbZGTAhwLEE2cbvJL7ivTlcy17VottfN6L8HwoS
   IDIADBfk2Lv/J8H7YYwj/OmIcDx++jzVkKrKwS0/HjyQyM
   -----END PRIVATE KEY-----
        
   -----BEGIN PRIVATE KEY-----
   MFICAQEwBQYDK2VwBCIEIC3GfeUYbZGTAhwLEE2cbvJL7ivTlcy17VottfN6L8HwoS
   IDIADBfk2Lv/J8H7YYwj/OmIcDx++jzVkKrKwS0/HjyQyM
   -----END PRIVATE KEY-----
        
   -----BEGIN PRIVATE KEY-----
   MFICAQEwBQYDK2VwBCIEILJXn1VaLqvausjUaZexwI/ozmOFjfEk78KcYN+7hsNJoS
   IDIACdQhJwzi/MCGcsQeQnIUh2JFybDxSrZxuLudJmpJLk
   -----END PRIVATE KEY-----
        
   -----BEGIN PRIVATE KEY-----
   MFICAQEwBQYDK2VwBCIEILJXn1VaLqvausjUaZexwI/ozmOFjfEk78KcYN+7hsNJoS
   IDIACdQhJwzi/MCGcsQeQnIUh2JFybDxSrZxuLudJmpJLk
   -----END PRIVATE KEY-----
        

Acknowledgments

致谢

Text and/or inspiration were drawn from [RFC5280], [RFC3279], [RFC4055], [RFC5480], and [RFC5639].

文本和/或灵感来自[RFC5280]、[RFC3279]、[RFC4055]、[RFC5480]和[RFC5639]。

The following people discussed the document and provided feedback: Klaus Hartke, Ilari Liusvaara, Erwann Abalea, Rick Andrews, Rob Stradling, James Manger, Nikos Mavrogiannopoulos, Russ Housley, David Benjamin, Brian Smith, and Alex Wilson.

以下人员讨论了该文件并提供了反馈:克劳斯·哈特克、伊拉里·柳斯瓦拉、埃尔万·阿巴利亚、里克·安德鲁斯、罗伯·斯特拉丁、詹姆斯·马格尔、尼科斯·马夫罗吉安诺普洛斯、罗斯·霍斯利、大卫·本杰明、布赖恩·史密斯和亚历克斯·威尔逊。

A big thank you to Symantec for kindly donating the OIDs used in this document.

非常感谢赛门铁克捐赠本文档中使用的OID。

Authors' Addresses

作者地址

Simon Josefsson SJD AB

西蒙·约瑟夫森SJD AB

   Email: simon@josefsson.org
        
   Email: simon@josefsson.org
        

Jim Schaad August Cellars

吉姆·沙德八月酒窖

   Email: ietf@augustcellars.com
        
   Email: ietf@augustcellars.com