IETF Logo Mail Archive

Re: [openpgp] Expected client behaviour ambiguity in signature verification

Andrew Gallagher <andrewg@andrewg.com> Thu, 21 July 2022 22:36 UTC

Return-Path: <andrewg@andrewg.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D7868C157B4D for <openpgp@ietfa.amsl.com>; Thu, 21 Jul 2022 15:36:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=andrewg.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FA10RmPL6BeG for <openpgp@ietfa.amsl.com>; Thu, 21 Jul 2022 15:36:31 -0700 (PDT)
Received: from fum.andrewg.com (fum.andrewg.com [IPv6:2a01:4f9:c011:23ad::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 44A86C14CF15 for <openpgp@ietf.org>; Thu, 21 Jul 2022 15:36:30 -0700 (PDT)
Received: from smtpclient.apple (unknown [176.61.115.103]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by fum.andrewg.com (Postfix) with ESMTPSA id 6CF565F03C; Thu, 21 Jul 2022 22:36:24 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=andrewg.com; s=andrewg-com; t=1658442984; bh=4FBN4d6JK29eXafxocd1nklYEg8PGz2x0k2WVziaXPM=; h=From:Subject:Date:References:To:In-Reply-To:From; b=dur9HZCQLcDyULe/BeI0oAq9LlHqJHIoGeDj3677SR9paUxUsOYiu27yphtcRnZJ4 ELvjm5xtsdfIyUQi+bsZnw7e26UFYAErz01AwcDKIkm9YaYvTMkhJeI7hIcob7NjS5 a/nQXcVn/B7hCcx7GuA+dqKAk013bGkiySFjCDX+JcCkwclgYcZSu4aoJ0CGivxnpu yXIkpuh3q+Jp7YOW6+XAbYluwsSyIoYXTFwrgWR06P9edPJzGnk8YXvoO+3wMKBgP0 Jv/Q9intmFrOEz7ThasVALut0No3TM/VwgnFqCePY2D56uy4EwBaySTi4+ZNj57CNI iFw/C1LpvhV0Q==
From: Andrew Gallagher <andrewg@andrewg.com>
Content-Type: multipart/signed; boundary="Apple-Mail=_28453516-80C9-4611-9A2C-2A841941B7F8"; protocol="application/pgp-signature"; micalg="pgp-sha512"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.100.31\))
Date: Thu, 21 Jul 2022 23:35:51 +0100
References: <d0483dcb-025b-37c2-9a26-e42133b506ac@andrewg.com> <HcMPnSrBDMEb2UqLScL9OTrornuJln5O0WG0ZBe2FLW3Q3YbJ9plFBKGJGdWYyVF-Wz9HA6supa9tXH5y8DfJTe05cUD5Uk0VciCnGuQNMo=@protonmail.com> <87pmifx2km.fsf@europ.lan> <Gjz95aE4GW3B-PIIf3VWobfxKwlSPyI-yU5L7B5zM-6QBv48RXZrrXvIkFQ5NUd9g64Ai9Adzqxahueo5LEqWRCY-Hjj9dRZeI2JYlaWqd4=@protonmail.com> <87let3wxtj.fsf@europ.lan> <ejV91k6cLZSWu6XKlMLLyVhrwpYOJWOD6q4Ekp6veU53kVA4kSNM1zZ1EoCJG2QJLlYoq2Rylxd7LWxssmPji5ozUn8iZHiD1f3x8vqJ2wc=@protonmail.com> <637768CF-CD88-4A2C-BC58-EE2945A1F008@andrewg.com> <IdS0-BxA6w80HLI578WI9YpxpzFb0MbynW3DOEhCWSF825_1qT6Dj6KlYX5CYs9-VYOJoNlj-8KZ6dd6ywX3xufc11_k_vScRCI-F1ik9XM=@protonmail.com> <25F2FE86-5B9E-4211-A526-FBCBD18EAA30@andrewg.com> <Xsi4cfl-3WekivJxtTFaLQnzwmNPn6RF3nHdF99G1qZU_e1iLB7ewnR-zRZP9HbdWQvIEQZqTb9CrniOKvufk8mkleyV2PZs8XLDfCQXrFo=@protonmail.com>
To: Daniel Huigens <d.huigens@protonmail.com>, openpgp@ietf.org
In-Reply-To: <Xsi4cfl-3WekivJxtTFaLQnzwmNPn6RF3nHdF99G1qZU_e1iLB7ewnR-zRZP9HbdWQvIEQZqTb9CrniOKvufk8mkleyV2PZs8XLDfCQXrFo=@protonmail.com>
Message-Id: <3CC3F9C5-2DA5-4ACE-BCDF-54864FE8CCDF@andrewg.com>
X-Mailer: Apple Mail (2.3696.100.31)
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/05E3ii19CujKjvSLGbv3_pjIdUo>
Subject: Re: [openpgp] Expected client behaviour ambiguity in signature verification
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Jul 2022 22:36:35 -0000

On 15 Jul 2022, at 15:25, Daniel Huigens <d.huigens=40protonmail.com@dmarc.ietf.org> wrote:
> 
> I understood that GitHub has one, generated
> using OpenPGP.php, would it be possible to ask them to generate a new
> key, or modify their existing one?

I decided to test this infamous GitHub signing key. It appears to be 0x4AEE18F83AFDEB23 and can be found at https://github.com/web-flow.gpg <https://github.com/web-flow.gpg> . Unfortunately, its self-sig appears to have multiple issues.

First, it has a bad quick-test hash prefix as already discussed, although it is not broken in the way that openpgp-php breaks things (by using the first two bytes of the signature MPI). This points towards a similar but independent bug.

Secondly, it has a malformed MPI length:

```
$ curl -s https://github.com/web-flow.gpg | sq packet dump
Public-Key Packet, new CTB, 269 bytes
    Version: 4
    Creation time: 2017-08-16 15:44:01 UTC
    Pk algo: RSA (Encrypt or Sign)
    Pk size: 2048 bits
    Fingerprint: 5DE3E0509C47EA3CF04A42D34AEE18F83AFDEB23
    KeyID: 4AEE18F83AFDEB23

User ID Packet, new CTB, 53 bytes
    Value: GitHub (web-flow commit signing) <noreply@github.com>

Unknown or Unsupported Packet, new CTB, 290 bytes
    Tag: Signature Packet
    Error: Malformed MPI: leading bit is not set: expected bit 8 to be set in   100000 (20)
```

Examining the key shows that the MPI begins [08 00 20 …] where the length is an integer multiple of 8 bits, but the first two bits of the first value byte are zero. Sequoia fails on this, while gnupg ignores it:

```
$ curl -s https://github.com/web-flow.gpg | gpg --list-packets
# off=0 ctb=c6 tag=6 hlen=3 plen=269 new-ctb
:public key packet:
	version 4, algo 1, created 1502898241, expires 0
	pkey[0]: [2048 bits]
	pkey[1]: [17 bits]
	keyid: 4AEE18F83AFDEB23
# off=272 ctb=cd tag=13 hlen=2 plen=53 new-ctb
:user ID packet: "GitHub (web-flow commit signing) <noreply@github.com>"
# off=327 ctb=c2 tag=2 hlen=3 plen=290 new-ctb
:signature packet: algo 1, keyid 4AEE18F83AFDEB23
	version 4, created 1502898241, md5len 0, sigclass 0x13
	digest algo 8, begin of digest 99 01
	hashed subpkt 2 len 4 (sig created 2017-08-16)
	hashed subpkt 16 len 8 (issuer key ID 4AEE18F83AFDEB23)
	hashed subpkt 27 len 1 (key flags: 03)
	hashed subpkt 25 len 1 (primary user ID)
	data: [2046 bits]
```

This again throws up the question of how strict clients should be when parsing noncompliant yet unambiguous data. From the RFC section 3.2:

```
The length field of an MPI describes the length starting from its
most significant non-zero bit.  Thus, the MPI [00 02 01] is not
formed correctly.  It should be [00 01 01].
```

This is pretty clear re what generating software should do (but not SHOULD do?), while leaving the door open for receiving software to be lenient about zero leading bits. Is it a good idea to leave so much to implementation discretion, particularly when it means that latent interop problems can go unnoticed?

(Aside: why are MPI lengths measured in bits even though they’re only ever stored as whole bytes? I accept we’re probably stuck with it now but it’s yet another example of needless added complexity in the standard)

A

v2.23.0 | Report a Bug | By Email