IETF Logo Mail Archive

Re: [openpgp] Should signatures be rejected if the embedded hash prefix does not match?

Andrew Gallagher <andrewg@andrewg.com> Wed, 01 March 2023 12:46 UTC

Return-Path: <andrewg@andrewg.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 67CF7C151551 for <openpgp@ietfa.amsl.com>; Wed, 1 Mar 2023 04:46:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=andrewg.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id A2wBKq3Qw-mc for <openpgp@ietfa.amsl.com>; Wed, 1 Mar 2023 04:46:29 -0800 (PST)
Received: from fum.andrewg.com (fum.andrewg.com [IPv6:2a01:4f9:c011:23ad::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 84689C14F736 for <openpgp@ietf.org>; Wed, 1 Mar 2023 04:46:29 -0800 (PST)
Received: from [192.168.1.140] (unknown [176.61.115.103]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits)) (Client did not present a certificate) by fum.andrewg.com (Postfix) with ESMTPSA id 718625F4D2 for <openpgp@ietf.org>; Wed, 1 Mar 2023 12:46:27 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=andrewg.com; s=andrewg-com; t=1677674787; bh=H9SPLIF5VQ0yuy8kMAmP4EFWNULeSFmEMOiNLFYv5y0=; h=Date:To:References:From:Subject:In-Reply-To:From; b=M77xRqi6YE5SHe1aW9RhthFlZZecqRBo2WXeDz2jU4G9AxgksUFUyR8s8nyUWNkre PkZoQ/ehqR8/pxK8TZkLgJPmgbQNTJ5bSxQaefzj1lmYG4yPx6dULSn5k14LZ46ubX js7KQ/e0AwpN0zC16j0WG2apRNDbDDAEjncVTMvSW2NhuWOIA4/z8ahYjOFy+CX2NR yBXevtPkYTXxmN5m+DGM3xrx0s3x8YI2Slo0Qbx+zgB4CjUg82ivVe5adO91rAJSvN gWSjnCCjjQwlKoGjAJtc2SoeHd2EkVPFVeuA/R2VWiVYZXHAcwzDeNVxlfMI9IFLTq 59JDId+I6JiNg==
Message-ID: <2ae335f9-b36a-f5e1-8668-b94a805b709e@andrewg.com>
Date: Wed, 01 Mar 2023 12:46:26 +0000
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:102.0) Gecko/20100101 Thunderbird/102.8.0
Content-Language: en-US
To: openpgp@ietf.org
References: <87lekkts65.fsf@fifthhorseman.net> <d759691a-c447-f66d-b839-f1b87e6b89af@andrewg.com> <87y1oj5ltj.fsf@europ.lan> <edeb91b0-6e7e-fa35-c571-d16dff433871@andrewg.com> <87v8jn5e4k.fsf@europ.lan> <55c56429-e1b1-97d3-5ad3-c54a69428143@andrewg.com> <87sfer588g.fsf@europ.lan> <b2a78baa-4636-9353-e079-232d580806a0@andrewg.com> <87o7pe69m6.fsf@europ.lan> <6lLcuziqTC31StjVfWBQYzemBHmXkVQG_LV6cIQ1lQU7qtOTr-HKCRHzxSY5LXsFU_BnnElSN0zry-RGK8TtC5cM_Ab4KsuWSPON8-82ZOM=@protonmail.com> <ebd88ec4-787b-fea7-f822-e6b514343dba@andrewg.com> <87wn41ru96.fsf@fifthhorseman.net> <87cz5sbsv3.fsf@europ.lan>
From: Andrew Gallagher <andrewg@andrewg.com>
In-Reply-To: <87cz5sbsv3.fsf@europ.lan>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/B4OBW1IygfglTCeU3ly1Y5QyyuQ>
Subject: Re: [openpgp] Should signatures be rejected if the embedded hash prefix does not match?
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Mar 2023 12:46:33 -0000

On 01/03/2023 11:42, Justus Winter wrote:
> Note that checksum over signatures in the OpenPGP sense do neither include the digest prefix nor the unhashed subpacket area.

According to the current draft:

```
When a signature is made over a Signature packet (type 0x50, 
"Third-Party Confirmation signature"), the hash data starts with the 
octet 0x88, followed by the four-octet length of the signature, and then 
the body of the Signature packet. (Note that this is a Legacy packet 
header for a Signature packet with the length-of-length field set to 
zero.) The unhashed subpacket data of the Signature packet being hashed 
is not included in the hash, and the unhashed subpacket data length 
value is set to zero.
```

The body of a signature packet contains the prefix octets, and the above 
only says to remove the unhashed subpacket area. So fixing up the prefix 
octets will invalidate 0x50 sigs.

A

v2.23.0 | Report a Bug | By Email