IETF Logo Mail Archive

[openpgp] Expected client behaviour ambiguity in signature verification

Andrew Gallagher <andrewg@andrewg.com> Thu, 07 July 2022 18:39 UTC

Return-Path: <andrewg@andrewg.com>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 86E64C159827 for <openpgp@ietfa.amsl.com>; Thu, 7 Jul 2022 11:39:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=andrewg.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6-XaZNyW23_f for <openpgp@ietfa.amsl.com>; Thu, 7 Jul 2022 11:39:45 -0700 (PDT)
Received: from fum.andrewg.com (fum.andrewg.com [135.181.198.78]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 283EDC157B51 for <openpgp@ietf.org>; Thu, 7 Jul 2022 11:39:44 -0700 (PDT)
Received: from [IPv6:fc93:5820:737b:2d0b:a807::1] (whippet [IPv6:fc93:5820:737b:2d0b:a807::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (Client did not present a certificate) by fum.andrewg.com (Postfix) with ESMTPSA id A4D535EC99 for <openpgp@ietf.org>; Thu, 7 Jul 2022 18:39:40 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=andrewg.com; s=andrewg-com; t=1657219180; bh=180ZsnK++s7S9Y3VZCmUZ5tbIxzq7BBodGD9qNXrqUo=; h=To:From:Subject:Date:From; b=K+ALvBwIdyj6rbNSM9dIucojoTQ6H4Cn0QoM6pDVA1kgxdyz/vsqqlpMRHLIn17Us SoAETxfO1NjzV3T3igpSu+ZEpCjb71rcyZf5uFKHN4dqMHKUE6XVLbcaK3LN2YOaKC Ib3Pd4hBU8dABtGlPxCZDnDNf8llBa5CozVz40+2wea0kIvF37gbgca2Gb0yjECrWW pNZO27nv2tm26mUwtpDEVWHzQFQcqz9ANtTkAUn7Xk53vfc898dWxdXovyvs2/JR8x lxz7PEOI6JMN/DmurjbigNps7Qdqm0OiVRLb3PIqdQB+7mLb2zC59b24bt7mDOBEfj x6walukKQuB1A==
To: openpgp@ietf.org
From: Andrew Gallagher <andrewg@andrewg.com>
Message-ID: <d0483dcb-025b-37c2-9a26-e42133b506ac@andrewg.com>
Date: Thu, 07 Jul 2022 19:39:33 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.14.0
MIME-Version: 1.0
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="GWLgSFQvQKcJqsvNqmGmWKykdaIpr2XLj"
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/Zv8v1IwbbXYiDPKytfbUmtNdxak>
Subject: [openpgp] Expected client behaviour ambiguity in signature verification
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Jul 2022 18:39:49 -0000

Hi, all.

It has been brought to my attention that some keys in the wild are not
being served correctly by some keyservers, and I suspect that the reason
is that only some OpenPGP implementations are performing the following
test as specified in section 5.2.3 of RFC4880:

```
The concatenation of the data being signed and the signature data from
the version number through the hashed subpacket data (inclusive) is hashed.
The resulting hash value is what is signed.
The high 16 bits (first two octets) of the hash are included in the
Signature packet to provide a way to reject some invalid signatures
without performing a signature verification.
```

I know that Protonmail/go-crypto *is* performing this test, and the key
I have been supplied with fails on it - but processing the same key in
both GnuPG and Sequoia throws no errors.

What should an implementation do in the case where these 16 bits are
incorrectly set but the signature is otherwise valid? It is implied that
failing hard on this test is allowed (otherwise why bother?) but it is
not specified as MUST or even SHOULD.

Thanks,
A

v2.23.0 | Report a Bug | By Email