Re: [openpgp] Expected client behaviour ambiguity in signature verification
Daniel Huigens <d.huigens@protonmail.com> Fri, 08 July 2022 10:28 UTC
Return-Path: <d.huigens@protonmail.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 205F3C157B45 for <openpgp@ietfa.amsl.com>; Fri, 8 Jul 2022 03:28:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=protonmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R5EALVWwPp1C for <openpgp@ietfa.amsl.com>; Fri, 8 Jul 2022 03:28:00 -0700 (PDT)
Received: from mail-40134.protonmail.ch (mail-40134.protonmail.ch [185.70.40.134]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B4AF5C157B43 for <openpgp@ietf.org>; Fri, 8 Jul 2022 03:28:00 -0700 (PDT)
Date: Fri, 08 Jul 2022 10:27:47 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=protonmail3; t=1657276077; x=1657535277; bh=E46N8eIwSYmNPfE0URazyK8abozTOQsd/narb0Ma6Hw=; h=Date:To:From:Cc:Reply-To:Subject:Message-ID:In-Reply-To: References:Feedback-ID:From:To:Cc:Date:Subject:Reply-To: Feedback-ID:Message-ID; b=ayF3hCD9oD65Cot7Ryqjp+qLe/PHMcmdFIXhCbag2F4KOQGqjyM44PNAb6zCzouJ9 LHtDlQfiHtbcUKutrJmrK+gUaLMmZDDpNK58uC8x6iyOZ5NRULU1kZEFVWq+vr+AMW WVch9arqvTtSqdS4czm2E6IfmC66OQKJt0rG0/2wEJMoEK8aBbHzm9LKCYtOE5FMij vGwY0nT5e2pBVWl6UYPdlcwOJEKy726v8BJlEaFiA4AueBSH3+xWG8qQdo8sdF0cvW BuxKgbJbm/5oZ5L8w1vgthyuxj69IjoofE0Caa23yeZFGA6z3bXUGCKv9QDW7mKcAk odX0wtnhmmzFA==
To: Andrew Gallagher <andrewg@andrewg.com>
From: Daniel Huigens <d.huigens@protonmail.com>
Cc: openpgp@ietf.org
Reply-To: Daniel Huigens <d.huigens@protonmail.com>
Message-ID: <rFGQzFpo7YRJdeCEIqSDMYYZhf_svkyx8UHG3GE__VMZFj2pRAbcTa-G9jjQoppUln1XNblYl6Lbjn7wMDMLqwzTJxB-hO0RwAofwLJL7wc=@protonmail.com>
In-Reply-To: <d0483dcb-025b-37c2-9a26-e42133b506ac@andrewg.com>
References: <d0483dcb-025b-37c2-9a26-e42133b506ac@andrewg.com>
Feedback-ID: 2934448:user:proton
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/KQyOgNY78WOqqIAA3xtqT6fQCKU>
Subject: Re: [openpgp] Expected client behaviour ambiguity in signature verification
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Jul 2022 10:28:05 -0000
Hello, FWIW, OpenPGP.js does this check as well. I agree it would be nice to unify the behavior here. In my opinion, doing the check makes more sense than not doing it, because as you said, otherwise why have those bytes in the signature; we might as well remove them from v5 signatures. So I would be OK with saying we should do this check for v5 signatures, for example, to unify the behavior for the future. That way, if most implementations follow that, it hopefully also prevents such broken keys from getting out there (for v5). Though, I see one potential reason why we might not want this check / these bytes, which is if you have a crypto library that provides a unified hashing+signing/verification API, as the Web Crypto API does, for example, where you pass the data and get back a signature (or true/false), without getting the hash in between. (We currently still hash it separately as well, partially because of this check, but I could imagine we might want to do an optimization there.) So I would also be OK with removing these bytes from v5 signatures and not doing this check in v4 signatures. Best, Daniel ------- Original Message ------- On Thursday, July 7th, 2022 at 20:39, Andrew Gallagher wrote: > Hi, all. > > It has been brought to my attention that some keys in the wild are not > being served correctly by some keyservers, and I suspect that the reason > is that only some OpenPGP implementations are performing the following > test as specified in section 5.2.3 of RFC4880: > > ``` > The concatenation of the data being signed and the signature data from > the version number through the hashed subpacket data (inclusive) is hashed. > The resulting hash value is what is signed. > The high 16 bits (first two octets) of the hash are included in the > Signature packet to provide a way to reject some invalid signatures > without performing a signature verification. > ``` > > I know that Protonmail/go-crypto *is* performing this test, and the key > I have been supplied with fails on it - but processing the same key in > both GnuPG and Sequoia throws no errors. > > What should an implementation do in the case where these 16 bits are > incorrectly set but the signature is otherwise valid? It is implied that > failing hard on this test is allowed (otherwise why bother?) but it is > not specified as MUST or even SHOULD. > > Thanks, > A > > > _______________________________________________ > openpgp mailing list > openpgp@ietf.org > https://www.ietf.org/mailman/listinfo/openpgp
- [openpgp] Expected client behaviour ambiguity in … Andrew Gallagher
- Re: [openpgp] Expected client behaviour ambiguity… Jonathan McDowell
- Re: [openpgp] Expected client behaviour ambiguity… Andrew Gallagher
- Re: [openpgp] Expected client behaviour ambiguity… Nickolay Olshevsky
- Re: [openpgp] Expected client behaviour ambiguity… Daniel Huigens
- Re: [openpgp] Expected client behaviour ambiguity… Justus Winter
- Re: [openpgp] Expected client behaviour ambiguity… Justus Winter
- Re: [openpgp] Expected client behaviour ambiguity… Jonathan McDowell
- Re: [openpgp] Expected client behaviour ambiguity… Justus Winter
- Re: [openpgp] Expected client behaviour ambiguity… Daniel Huigens
- Re: [openpgp] Expected client behaviour ambiguity… Andrew Gallagher
- Re: [openpgp] Expected client behaviour ambiguity… Justus Winter
- Re: [openpgp] Expected client behaviour ambiguity… Daniel Huigens
- Re: [openpgp] Expected client behaviour ambiguity… Paul Schaub
- Re: [openpgp] Expected client behaviour ambiguity… Justus Winter
- Re: [openpgp] Expected client behaviour ambiguity… Daniel Huigens
- Re: [openpgp] Expected client behaviour ambiguity… Peter Gutmann
- Re: [openpgp] Expected client behaviour ambiguity… Justus Winter
- Re: [openpgp] Expected client behaviour ambiguity… Andrew Gallagher
- Re: [openpgp] Expected client behaviour ambiguity… Daniel Huigens
- Re: [openpgp] Expected client behaviour ambiguity… Andrew Gallagher
- Re: [openpgp] Expected client behaviour ambiguity… Daniel Huigens
- Re: [openpgp] Expected client behaviour ambiguity… Andrew Gallagher
- Re: [openpgp] Expected client behaviour ambiguity… Andrew Gallagher
- Re: [openpgp] Expected client behaviour ambiguity… Daniel Huigens
- Re: [openpgp] Expected client behaviour ambiguity… Andrew Gallagher