IETF Logo Mail Archive

[Acme] ACME signature mechanics

"Manger, James" <James.H.Manger@team.telstra.com> Mon, 08 December 2014 06:38 UTC

Return-Path: <James.H.Manger@team.telstra.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E578E1A6F7F for <acme@ietfa.amsl.com>; Sun, 7 Dec 2014 22:38:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 3.599
X-Spam-Level: ***
X-Spam-Status: No, score=3.599 tagged_above=-999 required=5 tests=[BAYES_50=0.8, HELO_EQ_AU=0.377, HOST_EQ_AU=0.327, HTML_MESSAGE=0.001, J_CHICKENPOX_101=0.6, J_CHICKENPOX_51=0.6, J_CHICKENPOX_52=0.6, RCVD_IN_DNSWL_LOW=-0.7, RELAY_IS_203=0.994] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HS0_vSNcwCGC for <acme@ietfa.amsl.com>; Sun, 7 Dec 2014 22:38:49 -0800 (PST)
Received: from ipxavo.tcif.telstra.com.au (ipxavo.tcif.telstra.com.au [203.35.135.200]) by ietfa.amsl.com (Postfix) with ESMTP id CD8401A6F6B for <acme@ietf.org>; Sun, 7 Dec 2014 22:38:47 -0800 (PST)
X-IronPort-AV: E=Sophos;i="5.07,536,1413205200"; d="scan'208,217";a="244408379"
Received: from unknown (HELO ipccvi.tcif.telstra.com.au) ([10.97.217.208]) by ipoavi.tcif.telstra.com.au with ESMTP; 08 Dec 2014 17:24:32 +1100
X-IronPort-AV: E=McAfee;i="5600,1067,7645"; a="261762693"
Received: from wsmsg3752.srv.dir.telstra.com ([172.49.40.173]) by ipccvi.tcif.telstra.com.au with ESMTP; 08 Dec 2014 17:38:46 +1100
Received: from WSMSG3153V.srv.dir.telstra.com ([172.49.40.159]) by WSMSG3752.srv.dir.telstra.com ([172.49.40.173]) with mapi; Mon, 8 Dec 2014 17:38:46 +1100
From: "Manger, James" <James.H.Manger@team.telstra.com>
To: "acme@ietf.org" <acme@ietf.org>
Date: Mon, 08 Dec 2014 17:38:44 +1100
Thread-Topic: ACME signature mechanics
Thread-Index: AdASsZ0M8xUwytSnTxy9udVU0T4hkg==
Message-ID: <255B9BB34FB7D647A506DC292726F6E127D5205188@WSMSG3153V.srv.dir.telstra.com>
Accept-Language: en-US, en-AU
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US, en-AU
Content-Type: multipart/alternative; boundary="_000_255B9BB34FB7D647A506DC292726F6E127D5205188WSMSG3153Vsrv_"
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/acme/SkJma2ZHVoHIrr06vIGCxGfW1os
Subject: [Acme] ACME signature mechanics
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Dec 2014 06:38:52 -0000

draft-barnes-acme looks like a promising spec.
https://github.com/letsencrypt/acme-spec/blob/master/draft-barnes-acme.txt


A couple of comments:

1. The bytes to-be-signed for the various messages are the concatenation of a few fields, with no separators.
   signature-input = nonce || content
   signature-input = signature-nonce || identifier || server-nonce
   signature-input = signature-nonce || server-nonce
This looks problematic as the bytes to-be-signed are not unambiguous by themselves. The same signature (eg over ABC) is valid even if bytes are moved from a nonce to the content (eg nonce=A, content=BC; and nonce=AB, content=C). The same signature may be valid when treated as a different type of message (eg signature-nonce=A, identifier=B, server-nonce=C).

Suggestion: signature-input = <len1><field1> || <len2><field2> || ... (where <lenn> is  the length in bytes of the following field, encoded in 8 bytes)

[P.S. Watson Ladd pointed out a similar issue with HOBA earlier today in an email titled "[http-auth] Concatenation is not injective". http://www.ietf.org/mail-archive/web/http-auth/current/msg02053.html]


2. Appending 'path' to '.well-known/acme-challenge' as part of a simpleHttps challenge (section 6.1) looks dangerous if not done carefully. What if 'path' is "../../user/alice/whatever"?

Suggestion: I would be tempted to say: "take the 'path' string value, UTF-8 encode it, base64url-encode those bytes, then append to '.well-known/acme-challenge'".


3. 'nonce' is "at least 16 bytes, base64-encoded" according to section 5.2 "Signatures". Is the base64-encoding removed before using the nonce as part of the signature input?

--
James Manger

v2.23.0 | Report a Bug | By Email