Skip to content

PKI Matching

dweller long gone edited this page May 26, 2026 · 2 revisions

PKI Matching

ASN.1 Definition Sifter includes a focused PKI component corpus for common certificate, key, request, and CMS fragments.

Built-in PKI Corpus

Use createPkiComponentCorpus() for the built-in corpus.

In 0.1.5 and later, the corpus is built from the shared pkiComponentDefinition exported by @pkistudio/asn1instancebuilder. This keeps the common PkiStudio PKI baseline in one upstream package while preserving ASN.1 Definition Sifter's existing createPkiComponentCorpus() and pkiComponentDefinition exports.

Important included structures include:

  • AlgorithmIdentifier.
  • SubjectPublicKeyInfo.
  • RFC 8017 RSAPublicKey.
  • DSA-Sig-Value and ECDSA-Sig-Value.
  • SignatureValue.
  • EC named-curve parameters.
  • Certificate and related X.509 structures.
  • CertificationRequest.
  • PrivateKeyInfo.
  • ContentInfo and CMS-oriented structures.

Profiles

Use getPkiProfileTypeNames() or createPkiCandidateReport() profile options to limit matching.

import { createPkiCandidateReport } from '@pkistudio/asn1defsifter';

const report = await createPkiCandidateReport(input, {
  profiles: ['x509', 'pkcs10', 'pkcs8'],
  includeSubtrees: true
});

Profile names include:

  • x509
  • pkcs10
  • pkcs8
  • cms
  • components

RFC 8017 RSAPublicKey

RSAPublicKey is matched against the RFC 8017 shape:

RSAPublicKey ::= SEQUENCE {
  modulus           INTEGER,
  publicExponent    INTEGER
}

The PKI report layer keeps an RSAPublicKey candidate only when the node has exactly two positive DER INTEGER values with a plausible modulus and exponent.

This prevents generic integer-pair structures from being over-labelled as RSA public keys.

DSA and ECDSA Signature Values

DSA-Sig-Value and ECDSA-Sig-Value are available for integer-pair signature values. These structures are also SEQUENCE { INTEGER, INTEGER }, so they can be structurally compatible with other definitions.

The report layer uses context to reduce common false positives:

  • RSAPublicKey candidates are suppressed below signature BIT STRING contexts.
  • DSA-Sig-Value and ECDSA-Sig-Value candidates are suppressed below subjectPublicKey contexts.
  • Generic SignatureValue candidates are not repeated inside already-identified signature value subtrees.

OID and Open-Type Context

PKI documents frequently use OIDs to decide what a later field means. Examples include algorithm identifiers and content type identifiers.

ASN.1 Definition Sifter records OID evidence and matched paths so callers can combine:

  • local TLV shape,
  • nearby OID values,
  • schema paths,
  • document hypotheses,
  • subtree reports.

The package does not claim that OID context fully resolves every open type. It exposes enough evidence for a workbench, extension, or agent to explain the remaining uncertainty.

Clone this wiki locally