-
Notifications
You must be signed in to change notification settings - Fork 0
PKI Matching
ASN.1 Definition Sifter includes a focused PKI component corpus for common certificate, key, request, and CMS fragments.
Use createPkiComponentCorpus() for the built-in corpus.
In 0.1.5 and later, the corpus is built from the shared pkiComponentDefinition exported by @pkistudio/asn1instancebuilder. This keeps the common PkiStudio PKI baseline in one upstream package while preserving ASN.1 Definition Sifter's existing createPkiComponentCorpus() and pkiComponentDefinition exports.
Important included structures include:
-
AlgorithmIdentifier. -
SubjectPublicKeyInfo. - RFC 8017
RSAPublicKey. -
DSA-Sig-ValueandECDSA-Sig-Value. -
SignatureValue. - EC named-curve parameters.
-
Certificateand related X.509 structures. -
CertificationRequest. -
PrivateKeyInfo. -
ContentInfoand CMS-oriented structures.
Use getPkiProfileTypeNames() or createPkiCandidateReport() profile options to limit matching.
import { createPkiCandidateReport } from '@pkistudio/asn1defsifter';
const report = await createPkiCandidateReport(input, {
profiles: ['x509', 'pkcs10', 'pkcs8'],
includeSubtrees: true
});Profile names include:
x509pkcs10pkcs8cmscomponents
RSAPublicKey is matched against the RFC 8017 shape:
RSAPublicKey ::= SEQUENCE {
modulus INTEGER,
publicExponent INTEGER
}The PKI report layer keeps an RSAPublicKey candidate only when the node has exactly two positive DER INTEGER values with a plausible modulus and exponent.
This prevents generic integer-pair structures from being over-labelled as RSA public keys.
DSA-Sig-Value and ECDSA-Sig-Value are available for integer-pair signature values. These structures are also SEQUENCE { INTEGER, INTEGER }, so they can be structurally compatible with other definitions.
The report layer uses context to reduce common false positives:
-
RSAPublicKeycandidates are suppressed below signatureBIT STRINGcontexts. -
DSA-Sig-ValueandECDSA-Sig-Valuecandidates are suppressed belowsubjectPublicKeycontexts. - Generic
SignatureValuecandidates are not repeated inside already-identified signature value subtrees.
PKI documents frequently use OIDs to decide what a later field means. Examples include algorithm identifiers and content type identifiers.
ASN.1 Definition Sifter records OID evidence and matched paths so callers can combine:
- local TLV shape,
- nearby OID values,
- schema paths,
- document hypotheses,
- subtree reports.
The package does not claim that OID context fully resolves every open type. It exposes enough evidence for a workbench, extension, or agent to explain the remaining uncertainty.