[Dcrup] Re: [standards] [Editorial Errata Reported] RFC8463 (7930)

Steffen Nurpmeso <steffen@sdaoden.eu> Sat, 11 May 2024 20:10 UTC

Return-Path: <steffen@sdaoden.eu>
X-Original-To: dcrup@ietfa.amsl.com
Delivered-To: dcrup@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EFAEEC14F68D for <dcrup@ietfa.amsl.com>; Sat, 11 May 2024 13:10:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.098
X-Spam-Level:
X-Spam-Status: No, score=-7.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sdaoden.eu header.b="JngTrLQq"; dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=sdaoden.eu header.b="jshdpF7x"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OHXdriSsFKbt for <dcrup@ietfa.amsl.com>; Sat, 11 May 2024 13:10:45 -0700 (PDT)
Received: from sdaoden.eu (sdaoden.eu [217.144.132.164]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2C9BBC14F68F for <dcrup@ietf.org>; Sat, 11 May 2024 13:10:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sdaoden.eu; s=citron; t=1715458240; x=1716124906; h=date:author:from:to:cc:subject: message-id:in-reply-to:mail-followup-to:openpgp:blahblahblah:mime-version: content-type:content-transfer-encoding:author:from:subject:date:to:cc: resent-date:resent-from:resent-to:resent-cc:in-reply-to:references: mime-version:content-type:content-transfer-encoding:message-id: mail-followup-to:openpgp:blahblahblah; bh=tNCRVNov/0i1qiNXIk6bsAGcgTb0PWOq0ysbE63nXbM=; b=JngTrLQqowoM4Lr0UK2yg7Q4KWaL3aZG4W/ulYesvg65WrVb1iNYJNwDkDUicbtZvOWxtH2N 8XqjvrLRuv2EoyjZ68TFhsDwlqxBi/qlqg2LsRXFSyX3XGBSP3Lmwfvyzmz1n4Rk8sv+zAm5vj 4zBcIGTGrxwZORDEGLI2I98fEJj53I/Ra6mOnSY1q16EWdNrJI/eltBr9B3Q2Nj8YJkUKHVk3w POhtTHEG73wBRhctwod+4jVuJZNVmHbsbvD9B94DNWEQGbD7qi0pnpH4OI0jkhQ1M5PiALKq0O 4z2gzxPQdL3OEe3lvnESW0RYXE/0MZUuWW609w4BtoesLCEw==
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=sdaoden.eu; s=orange; t=1715458240; x=1716124906; h=date:author:from:to:cc:subject: message-id:in-reply-to:mail-followup-to:openpgp:blahblahblah:mime-version: content-type:content-transfer-encoding:author:from:subject:date:to:cc: resent-date:resent-from:resent-to:resent-cc:in-reply-to:references: mime-version:content-type:content-transfer-encoding:message-id: mail-followup-to:openpgp:blahblahblah; bh=tNCRVNov/0i1qiNXIk6bsAGcgTb0PWOq0ysbE63nXbM=; b=jshdpF7xq9OZ1S8tgclrRUWfPp+vkyWCr05OZ2wWl2qvFcCn9SXPcj7j+I1kJ1OVxZckqnwa k48jI4iZnkWWAw==
Date: Sat, 11 May 2024 22:10:39 +0200
Author: Steffen Nurpmeso <steffen@sdaoden.eu>
From: Steffen Nurpmeso <steffen@sdaoden.eu>
To: Viktor Dukhovni <ietf-dane@dukhovni.org>, John R Levine <johnl@taugh.com>
Message-ID: <20240511201039.lf46znlR@steffen%sdaoden.eu>
In-Reply-To: <Zj726P3CJF1KM7Mu@chardros.imrryr.org>
Mail-Followup-To: Viktor Dukhovni <ietf-dane@dukhovni.org>, John R Levine <johnl@taugh.com>, "RFC Errata System" <rfc-editor@rfc-editor.org>, dcrup@ietf.org, "Scott Kitterman" <sklist@kitterman.com>, "Murray S. Kucherawy" <superuser@gmail.com>, Orie Steele <orie@transmute.industries>, Rebecca VanRheenen <rvanrheenen@amsl.com>, Steffen Nurpmeso <steffen@sdaoden.eu>
User-Agent: s-nail v14.9.24-621-g0d1e55f367
OpenPGP: id=EE19E1C1F2F7054F8D3954D8308964B51883A0DD; url=https://ftp.sdaoden.eu/steffen.asc; preference=signencrypt
BlahBlahBlah: Any stupid boy can crush a beetle. But all the professors in the world can make no bugs.
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: 2KZXM45HIG6E7KHW6Z2ZZZWQV4ZRAO2M
X-Message-ID-Hash: 2KZXM45HIG6E7KHW6Z2ZZZWQV4ZRAO2M
X-MailFrom: steffen@sdaoden.eu
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dcrup.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: RFC Errata System <rfc-editor@rfc-editor.org>, dcrup@ietf.org, Scott Kitterman <sklist@kitterman.com>, "Murray S. Kucherawy" <superuser@gmail.com>, Orie Steele <orie@transmute.industries>, Rebecca VanRheenen <rvanrheenen@amsl.com>, steffen@sdaoden.eu
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [Dcrup] Re: [standards] [Editorial Errata Reported] RFC8463 (7930)
List-Id: DKIM Crypto Update <dcrup.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dcrup/G4nX46FP6s31dXcPQXObWAvg3Sg>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dcrup>
List-Help: <mailto:dcrup-request@ietf.org?subject=help>
List-Owner: <mailto:dcrup-owner@ietf.org>
List-Post: <mailto:dcrup@ietf.org>
List-Subscribe: <mailto:dcrup-join@ietf.org>
List-Unsubscribe: <mailto:dcrup-leave@ietf.org>

Hello dear Viktor!

Thanks a lot for spending so much time and effort to figure out
John R's fault, your crypto knowledge and artistic is always
amazing to read *and see*.  Thank you!

Viktor Dukhovni wrote in
 <Zj726P3CJF1KM7Mu@chardros.imrryr.org>:
 ...

I shorten this because it was "magic mystic" and very hard to
detangle.  I hope i found the correct mouse..

 |> show what you had to change and why it is wrong.
 |
 |1. The "bh=" value in RFC8463 is correct:

I have not tested that.  Good to know.

  ...
 |2. The headers to be signed are:

The same output i had shown, .. effectively.

  ...
 |3. This is then signed with the Ed25519 key from RFC8032:
 ...
 |    $ printf "%s\n" 48ce9a2c710ece1710ff156996b836a7f45470e43efe5643074d6e1\
 |    690ed62e7 |
 |      xxd -r -p > /tmp/data.hash
 |
 |    $ openssl pkeyutl -rawin -sign -inkey /tmp/pkey.pem -in /tmp/data.hash \
 |    |
 |      openssl base64
 |    /gCrinpcQOoIfuHNQIbq4pgh9kyIK3AQUdt9OdqQehSwhEIug4D11BusFa3bT3FY
 |    5OsU7ZbnKELq+eXdp1Q1Dw==
 |
 |The result matches the "b=" value in https://datatracker.ietf.org/doc/ht\
 |ml/rfc8463#appendix-A.3

Wonderful, thank you very much.  So John R Levine mapped the RSA
scheme onto Ed25519, where one first generates a message digest,
which is then signed.  Whereas Ed25519 itself does not allow that,
it always uses SHA-512 internally and uses multiple runs on the
complete data, and keys, etc etc.

I already complained on the openssl-users@ list that there is no
automated way for programmers to get a notion of what is going
one, i posted to ietf-dkim@ a while back, thus:

      /* Unfortunately there is no easy accessible property that tells us which codepath to take */
      EVP_MD_CTX_reset(mdcp->mdc_md_ctx);
      if(!EVP_DigestSignInit(mdcp->mdc_md_ctx, NIL, mdcp->mdc_md->md_md, NIL, kp->k_key) &&

^ This is RSA: pass the message digest along, it will then first
digest, then sign.  (You could also use the old-style code path,
as many DKIM signers (optionally) still use, where you simply
digest yourself and then use EVP_PKEY_sign(3):

   The function EVP_PKEY_sign() can be called more than once on the same
   context if several operations are performed using the same parameters.

                      !EVP_DigestSignInit(mdcp->mdc_md_ctx, NIL, NIL, NIL, kp->k_key)){

^ This is ED25519: because it always runs over all the data and
creates and internal SHA-512 digest it is one-shot:

       The Ed25519 and Ed448 EVP_PKEY implementation supports key generation,
       one‐shot digest‐sign and digest‐verify using the EdDSA signature scheme
       described in RFC 8032. It has associated private and public key formats
       compatible with RFC 8410.
      ...
       The message   to   sign   or  verify  must  be  passed
       using  the  one‐shot EVP_DigestSign() and
       EVP_DigestVerify() functions.

 |    Viktor.
 --End of <Zj726P3CJF1KM7Mu@chardros.imrryr.org>

Thank you very much, Viktor, i would *not* have been able to pave
my way to find John's actual fault and stand against his

  |It would be a lot more credible[.]

A nice Sunday i wish everybody.
Ciao, and greetings from Germany,

--steffen
|
|Der Kragenbaer,                The moon bear,
|der holt sich munter           he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)