[openpgp] Ambiguity about signature vs literal packet encoding formats
Andrew Gallagher <andrewg@andrewg.com> Wed, 24 January 2024 18:52 UTC
Return-Path: <andrewg@andrewg.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C9C2CC151095 for <openpgp@ietfa.amsl.com>; Wed, 24 Jan 2024 10:52:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.107
X-Spam-Level:
X-Spam-Status: No, score=-7.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=andrewg.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RJf2ni1D9wlr for <openpgp@ietfa.amsl.com>; Wed, 24 Jan 2024 10:52:51 -0800 (PST)
Received: from fum.andrewg.com (fum.andrewg.com [IPv6:2a01:4f9:c011:23ad::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0BC10C151993 for <openpgp@ietf.org>; Wed, 24 Jan 2024 10:52:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=andrewg.com; s=andrewg-com; t=1706122367; bh=Bd20ojY3f7lg8vWbepX8Rthie8Mm5FHj3QXF/qEs/Y4=; h=From:Subject:Date:To:From; b=uGmqw7BhRQynd5n8hBiqoSCflafIUzklRAgqxwwgpk1S/C0mGxQ4vBr3g2RM4sh2T S44W2LPQjegUA7G6ul7IxchCikrKTZlB0QIcLxkQ7puhgHfnZQznnUdQasIhrdXLZ+ dPC1cv4VaaPqNJtLr/SQxt4Rvoeyb99xFa1/6xUxTjgCsgO7phauQaoOxT4ACVLAX+ Wina1XFvN8kyWh383jCtjrPW5fVnMzHyhtiRnJR4ru4Uev36H0kkHet4qV01dMz5si 1L4l1c7fkdcmCBfPBGTVjko97/zmLLANmnBtLryAeqzK9ZW5kCnlZVs0m3ectAASwN b4CDXTR3ZN14Q==
Received: from smtpclient.apple (serenity [IPv6:fc93:5820:7349:eda2:99a7::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by fum.andrewg.com (Postfix) with ESMTPSA id BC3AB5DE4D for <openpgp@ietf.org>; Wed, 24 Jan 2024 18:52:47 +0000 (UTC)
From: Andrew Gallagher <andrewg@andrewg.com>
Content-Type: multipart/signed; boundary="Apple-Mail=_41458AA9-A15F-4761-AC08-04AC9FDE9AF6"; protocol="application/pgp-signature"; micalg="pgp-sha512"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.700.6\))
Message-Id: <69543475-D5B7-474C-AAB0-0CF9989D4B4D@andrewg.com>
Date: Wed, 24 Jan 2024 18:52:29 +0000
To: "openpgp\\\\@ietf.org" <openpgp@ietf.org>
X-Mailer: Apple Mail (2.3731.700.6)
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/QsFgoxQa3S_JNa9oz8pRMxk3bIU>
Subject: [openpgp] Ambiguity about signature vs literal packet encoding formats
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Jan 2024 18:52:55 -0000
Hi, all. It has come to my attention that it is possible (and apparently permitted!) to generate a text (0x01) signature over a binary literal data packet. The test suite does not currently cover this scenario well, seemingly because of lack of support for the required SOP commands: https://tests.sequoia-pgp.org/#Signed_messages https://gitlab.com/sequoia-pgp/openpgp-interoperability-test-suite/-/issues/17 https://gitlab.com/sequoia-pgp/openpgp-interoperability-test-suite/-/issues/63 https://gitlab.com/sequoia-pgp/openpgp-interoperability-test-suite/-/issues/73 But it would now appear that this is a real interop issue: https://github.com/rpgp/rpgp/pull/263 tl;dr: A text document can be encoded using non-normalised line endings in a binary literal data packet, and have a text signature over it that is correctly calculated over a normalised (but ephemeral) copy of that document. If this signature is detached, and then verified over the detached document, it is obvious that the document must be normalised before verification, and the verification should therefore succeed. But it does not appear to be obvious that the same is true of that document before detachment, since at least two implementations do not currently perform this normalisation. Does the group feel this a case of the receiving implementations not being sufficiently lenient in what they consume, or the generating implementations not being sufficiently strict in what they produce? ;-) Crypto-refresh appears to be contradictory. It allows generating applications to put text data in a binary-marked literal data packet, even if the application knows for sure it will be text-signed: > If the implementation is certain that the data is textual and is encoded with UTF-8 (for example, if it will follow this literal data packet with a signature packet of type 0x01 (see Section 5.2.1), it MAY set the format octet to u. Otherwise, it MUST set the format octet to b. But it tells a receiving application that `b` means binary data, without exception: > The body of this packet consists of: > • A one-octet field that describes how the data is formatted. > If it is a b (0x62), then the Literal packet contains binary data. https://datatracker.ietf.org/doc/html/draft-ietf-openpgp-crypto-refresh-13#name-literal-data-packet-type-id If this field does not contain authoritative information about the the literal data packet encoding, would it not make more sense to default it to NUL, or some other meaningless value, rather than a potentially misleading one? Otherwise, surely the literal data packet encoding MUST match the signature type? Alternatively a receiving application MUST ignore this field and infer it from the signature type when verifying that signature. A PS: Before DKG panics, this is aimed at the future semantics clarification document, which appears more and more necessary as time passes :-)
- [openpgp] Ambiguity about signature vs literal pa… Andrew Gallagher
- Re: [openpgp] Ambiguity about signature vs litera… Daniel Huigens
- Re: [openpgp] Ambiguity about signature vs litera… Daniel Kahn Gillmor
- Re: [openpgp] Ambiguity about signature vs litera… Justus Winter
- Re: [openpgp] Ambiguity about signature vs litera… Andrew Gallagher
- Re: [openpgp] Ambiguity about signature vs litera… Andrew Gallagher
- Re: [openpgp] Ambiguity about signature vs litera… joncallas
- Re: [openpgp] Ambiguity about signature vs litera… Daniel Huigens
- Re: [openpgp] Ambiguity about signature vs litera… iang
- Re: [openpgp] Ambiguity about signature vs litera… Daniel Kahn Gillmor