IETF Logo Mail Archive

Re: [Acme] ACME signature mechanics

Richard Barnes <rlb@ipv.sx> Mon, 08 December 2014 06:59 UTC

Return-Path: <rlb@ipv.sx>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E42241A6F80 for <acme@ietfa.amsl.com>; Sun, 7 Dec 2014 22:59:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.177
X-Spam-Level:
X-Spam-Status: No, score=-0.177 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, J_CHICKENPOX_101=0.6, J_CHICKENPOX_51=0.6, J_CHICKENPOX_52=0.6, RCVD_IN_DNSWL_LOW=-0.7] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e4pvGc4U26Vk for <acme@ietfa.amsl.com>; Sun, 7 Dec 2014 22:59:14 -0800 (PST)
Received: from mail-vc0-f176.google.com (mail-vc0-f176.google.com [209.85.220.176]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 15D641A1A1E for <acme@ietf.org>; Sun, 7 Dec 2014 22:59:14 -0800 (PST)
Received: by mail-vc0-f176.google.com with SMTP id hq12so1850792vcb.21 for <acme@ietf.org>; Sun, 07 Dec 2014 22:59:13 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=xCRMGxR6ZjR4R2g33Y42KAQ/z4FEC766bmo9/hLTTc0=; b=ErRush/jf3ahYwJOtykFbRPBOJlvS42mduVDEqtAdXFv0ofC7qRIQlF4+Y9cv/79PG 9BnRCD+9Il80HKwPd2MKc+u82Cfk6to537qSeWV8WUXXicxsTiagJpl8vX3ZBgzEM4q8 zZ4PCip0R6D5guSFLjnMcsms29RxdAE9HDHhgVFLCYtAJWGPJRpZeGx5CS6+8sNM6Dvb Qcvb5RNhmcSUVVDGPW6DzoNRVVgQelqPImD581bMjPpsNgFuRFA6FJkO/aI3hJu+T+st 7wyHruFrIKtwsEy8Ka5tIzX62/3Gr3JOcHefUGpHZDYWG5EMnl0oXnzipYHI2mMCtjjr IMNw==
X-Gm-Message-State: ALoCoQn3R2zoI9Y5JteTelyQ9s2Rnarj8kOout+jMsCINS68Des/92w7PjrIQDZUjXCVmlLxxsZk
MIME-Version: 1.0
X-Received: by 10.52.117.161 with SMTP id kf1mr19920725vdb.65.1418021953202; Sun, 07 Dec 2014 22:59:13 -0800 (PST)
Received: by 10.31.139.9 with HTTP; Sun, 7 Dec 2014 22:59:13 -0800 (PST)
In-Reply-To: <255B9BB34FB7D647A506DC292726F6E127D5205188@WSMSG3153V.srv.dir.telstra.com>
References: <255B9BB34FB7D647A506DC292726F6E127D5205188@WSMSG3153V.srv.dir.telstra.com>
Date: Sun, 07 Dec 2014 22:59:13 -0800
Message-ID: <CAL02cgRnJmB4Ea9D38vZhnS4_aRACkieZnPvDaF2AtDTaB8jXA@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
To: "Manger, James" <James.H.Manger@team.telstra.com>
Content-Type: multipart/alternative; boundary="bcaec547cbddce2e740509aef67b"
Archived-At: http://mailarchive.ietf.org/arch/msg/acme/2nyR8aJGCypzAPWk436IUBv6sIo
Cc: "acme@ietf.org" <acme@ietf.org>
Subject: Re: [Acme] ACME signature mechanics
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Dec 2014 06:59:16 -0000

Hey James,

Thanks for the comments.

On Sun, Dec 7, 2014 at 10:38 PM, Manger, James <
James.H.Manger@team.telstra.com> wrote:

> draft-barnes-acme looks like a promising spec.
>
> https://github.com/letsencrypt/acme-spec/blob/master/draft-barnes-acme.txt
>

Thanks!



>
> A couple of comments:
>
>
>
> 1. The bytes to-be-signed for the various messages are the concatenation
> of a few fields, with no separators.
>
>    signature-input = nonce || content
>
>    signature-input = signature-nonce || identifier || server-nonce
>
>    signature-input = signature-nonce || server-nonce
>
> This looks problematic as the bytes to-be-signed are not unambiguous by
> themselves. The same signature (eg over ABC) is valid even if bytes are
> moved from a nonce to the content (eg nonce=A, content=BC; and nonce=AB,
> content=C). The same signature may be valid when treated as a different
> type of message (eg signature-nonce=A, identifier=B, server-nonce=C).
>
>
>
> Suggestion: signature-input = <len1><field1> || <len2><field2> || … (where
> <len*n*> is  the length in bytes of the following field, encoded in 8
> bytes)
>
>
>
> [P.S. Watson Ladd pointed out a similar issue with HOBA earlier today in
> an email titled “[http-auth] Concatenation is not injective”.
> http://www.ietf.org/mail-archive/web/http-auth/current/msg02053.html]
>

Adam Langley also pointed this out in a Github issue.

I think the simplest answer is going to be to just use JWS to sign the
entire request, including the nonce as a protected header field.  That gets
around these issues, and re-uses the JWS machinery.



> 2. Appending ‘path’ to ‘.well-known/acme-challenge’ as part of a
> simpleHttps challenge (section 6.1) looks dangerous if not done carefully.
> What if ‘path’ is “../../user/alice/whatever”?
>
>
>
> Suggestion: I would be tempted to say: “take the ‘path’ string value,
> UTF-8 encode it, base64url-encode those bytes, then append to
> ‘.well-known/acme-challenge’”.
>

Good point.  It seems like a simpler solution would just be to require that
the "path" value meet a certain ABNF, e.g., the URL-safe base64 alphabet.
The only reason that the client provides the path is to let it avoid
collisions if it has multiple validations in progress, so there's not a
need for it to be especially expressive.



> 3. ‘nonce’ is “at least 16 bytes, base64-encoded” according to section 5.2
> “Signatures”. Is the base64-encoding removed before using the nonce as part
> of the signature input?
>

That was my intent, but if we make the JWS change mentioned above, then
this won't matter.

--Richard



>
>
> --
>
> James Manger
>
>
>
> _______________________________________________
> Acme mailing list
> Acme@ietf.org
> https://www.ietf.org/mailman/listinfo/acme
>
>

v2.23.0 | Report a Bug | By Email