IETF Logo Mail Archive

Re: [openpgp] reviewing sample v5 certificate: can't validate internal signatures

Daniel Kahn Gillmor <dkg@fifthhorseman.net> Fri, 25 November 2022 13:56 UTC

Return-Path: <dkg@fifthhorseman.net>
X-Original-To: openpgp@ietfa.amsl.com
Delivered-To: openpgp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C5CDCC14F747 for <openpgp@ietfa.amsl.com>; Fri, 25 Nov 2022 05:56:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=fifthhorseman.net header.b=xeBy9yGP; dkim=pass (2048-bit key) header.d=fifthhorseman.net header.b=OxZ+SaSD
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e7zhVLLqM7sI for <openpgp@ietfa.amsl.com>; Fri, 25 Nov 2022 05:55:56 -0800 (PST)
Received: from che.mayfirst.org (che.mayfirst.org [IPv6:2001:470:1:116::7]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 63A27C14F731 for <openpgp@ietf.org>; Fri, 25 Nov 2022 05:55:56 -0800 (PST)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019; t=1669384554; h=from : to : subject : in-reply-to : references : date : message-id : mime-version : content-type : from; bh=zq9dbXVBtFU3pXpTSH3CKxHL65Fw0W0ai93FdwADiu0=; b=xeBy9yGPj49TzW2FxS2zHewuamAH7EQ3cbcU2u3vBfFhnTulNKn9Jet49MVM4MVY1LuIR uCYK5C17k/+KS6qAA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019rsa; t=1669384554; h=from : to : subject : in-reply-to : references : date : message-id : mime-version : content-type : from; bh=zq9dbXVBtFU3pXpTSH3CKxHL65Fw0W0ai93FdwADiu0=; b=OxZ+SaSD2es0l64UFEXceNunpA2iOPR70LEVcj77300kfVp+PpvIbG/11lpPrp55aoTYM GK6s9X35RVl/9J+vFl7sOKSzM3TXo9l2Fv2GD13gxSxzrhmv5ZfyQAXZqqHilqxJWSokYm9 XfsMOKVFEokp+KJ8A+KIT7DBczBuMPaY2geaOT9+WJO09Ior4YATqB0XIsjnIRAuT0ME9q6 eaG58U8A5Hf8XKxGPcN9avq0Wi+QC48ReUrEacO4BTJx8J47hz66xtWvXQpFpyu4qXzr/Q3 Cy3ndfRRPoQQDsvw/fwmSDmjJCnClxz7P3Gk9gYyIsjPh/L4MxrqT77wwMJg==
Received: from fifthhorseman.net (unknown [212.77.220.109]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by che.mayfirst.org (Postfix) with ESMTPSA id D5A9CF9AD for <openpgp@ietf.org>; Fri, 25 Nov 2022 08:55:53 -0500 (EST)
Received: by fifthhorseman.net (Postfix, from userid 1000) id 6A06320717; Fri, 25 Nov 2022 08:17:06 -0500 (EST)
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: openpgp@ietf.org
In-Reply-To: <d00SL5PjvNYlsflHLLYPyh1E_JPpIUltjQCBB4HyeITSpCR8_g-4jNZsYJPUf2CZVrkaicEesXZNFf1UDe8-z9z48IR1FGGZIObq2ZHpsfE=@protonmail.com>
References: <87sfifzp3a.fsf@fifthhorseman.net> <d00SL5PjvNYlsflHLLYPyh1E_JPpIUltjQCBB4HyeITSpCR8_g-4jNZsYJPUf2CZVrkaicEesXZNFf1UDe8-z9z48IR1FGGZIObq2ZHpsfE=@protonmail.com>
Autocrypt: addr=dkg@fifthhorseman.net; prefer-encrypt=mutual; keydata= mDMEX+i03xYJKwYBBAHaRw8BAQdACA4xvL/xI5dHedcnkfViyq84doe8zFRid9jW7CC9XBiI0QQf FgoAgwWCX+i03wWJBZ+mAAMLCQcJEOCS6zpcoQ26RxQAAAAAAB4AIHNhbHRAbm90YXRpb25zLnNl cXVvaWEtcGdwLm9yZ/tr8E9NA10HvcAVlSxnox6z62KXCInWjZaiBIlgX6O5AxUKCAKbAQIeARYh BMKfigwB81402BaqXOCS6zpcoQ26AADZHQD/Zx9nc3N2kj13AUsKMr/7zekBtgfSIGB3hRCU74Su G44A/34Yp6IAkndewLxb1WdRSokycnaCVyrk0nb4imeAYyoPtBc8ZGtnQGZpZnRoaG9yc2VtYW4u bmV0PojRBBMWCgCDBYJf6LTfBYkFn6YAAwsJBwkQ4JLrOlyhDbpHFAAAAAAAHgAgc2FsdEBub3Rh dGlvbnMuc2VxdW9pYS1wZ3Aub3JnL0Gwxvypz2tu1IPG+yu1zPjkiZwpscsitwrVvzN3bbADFQoI ApsBAh4BFiEEwp+KDAHzXjTYFqpc4JLrOlyhDboAAPkXAP0Z29z7jW+YzLzPTQML4EQLMbkHOfU4 +s+ki81Czt0WqgD/SJ8RyrqDCtEP8+E4ZSR01ysKqh+MUAsTaJlzZjehiQ24MwRf6LTfFgkrBgEE AdpHDwEBB0DkKHOW2kmqfAK461+acQ49gc2Z6VoXMChRqobGP0ubb4kBiAQYFgoBOgWCX+i03wWJ BZ+mAAkQ4JLrOlyhDbpHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3Jnfvo+ nHoxDwaLaJD8XZuXiaqBNZtIGXIypF1udBBRoc0CmwICHgG+oAQZFgoAbwWCX+i03wkQPp1xc3He VlxHFAAAAAAAHgAgc2FsdEBub3RhdGlvbnMuc2VxdW9pYS1wZ3Aub3JnaheiqE7Pfi3Atb3GGTw+ jFcBGOaobgzEJrhEuFpXREEWIQQttUkcnfDcj0MoY88+nXFzcd5WXAAAvrsBAIJ5sBg8Udocv25N stN/zWOiYpnjjvOjVMLH4fV3pWE1AP9T6hzHz7hRnAA8d01vqoxOlQ3O6cb/kFYAjqx3oMXSBhYh BMKfigwB81402BaqXOCS6zpcoQ26AADX7gD/b83VObe14xrNP8xcltRrBZF5OE1rQSPkMNy+eWpk eCwA/1hxiS8ZxL5/elNjXiWuHXEvUGnRoVj745Vl48sZPVYMuDgEX+i03xIKKwYBBAGXVQEFAQEH QIGex1WZbH6xhUBve5mblScGYU+Y8QJOomXH+rr5tMsMAwEICYjJBBgWCgB7BYJf6LTfBYkFn6YA CRDgkus6XKENukcUAAAAAAAeACBzYWx0QG5vdGF0aW9ucy5zZXF1b2lhLXBncC5vcmcEAx9vTD3b J0SXkhvcRcCr6uIDJwic3KFKxkH1m4QW0QKbDAIeARYhBMKfigwB81402BaqXOCS6zpcoQ26AAAX mwD8CWmukxwskU82RZLMk5fm1wCgMB5z8dA50KLw3rgsCykBAKg1w/Y7XpBS3SlXEegIg1K1e6dR fRxL7Z37WZXoH8AH
Date: Fri, 25 Nov 2022 08:17:03 -0500
Message-ID: <874junuqb4.fsf@fifthhorseman.net>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/openpgp/hN26zMFHTkIiZ-G6TfNdiSRejkY>
Subject: Re: [openpgp] reviewing sample v5 certificate: can't validate internal signatures
X-BeenThere: openpgp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Ongoing discussion of OpenPGP issues." <openpgp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/openpgp>, <mailto:openpgp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/openpgp/>
List-Post: <mailto:openpgp@ietf.org>
List-Help: <mailto:openpgp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/openpgp>, <mailto:openpgp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Nov 2022 13:56:00 -0000

Much obliged, Daniel!

I think your sequence is the right one.  I used it to figure out where
the bugs were in the implementation i've been tinkering with (it wasn't
just the mis-represented pubkey; i also had a problem where the
implementation was clearing feature flags it didn't know about (and it
didn't know about the SEIPDv2 feature flag yet).

On Tue 2022-11-22 19:56:22 +0000, Daniel Huigens wrote:
> The values we hash are:
>
> a)
> 903c95635b81783d573f3271965690019a00000037056220d057160000002d092b06010401da470f01010740b550fd420bde0a2af2da98c8086ac75f401b9607b8cc801e308e4f252954ab51051f160a0000002305026220d0570315080a0416000201021b03021e090d2709030703090107010902070205ff000000000000002b

Here is a broken-out representation of this stream, in a format inspired
by the nice rendering that Sequoia produces with "sq packet dump --hex".
The first column is the byte index (in hex), and each byte is
represented in hex.  Each row is 8 octets wide.

```
0000  90 3c 95 63 5b 81 78 3d  salt
0008  57 3f 32 71 96 56 90 01
           [pubkey begins]
0010  9a                       v5 pubkey
0011     00 00 00 37           pubkey length
0015                 05        pubkey version
0016                    62 20
0018  d0 57                    Creation Time
001a        16                 key algo: EdDSA
001b           00 00 00 2d     key length
001f                       09  OID length
0020  2b 06 01 04 01 da 47 0f  OID (Ed25519)
0028  01
0029     01 07                 MPI length
002b           40              prefix octet
002c              b5 50 fd 42  x coordinate
0030  0b de 0a 2a f2 da 98 c8
0038  08 6a c7 5f 40 1b 96 07
0040  b8 cc 80 1e 30 8e 4f 25
0048  29 54 ab 51
           [trailer begins]
004c              05           sig version
004d                 1f        sig type: direct key signature
004e                    16     sig algo: EdDSA
004f                       0a  hash algo: SHA2-512
0050  00 00 00 23              hashed subpackets length
0054              05           sbpkt length
0055                 02        sbpkt type: Signature Creation Time
0056                    62 20  Signature Creation Time
0058  d0 57                       (2022-03-03T14:27:35Z)
005a        03                 sbpkt length
005b           15              sbpkt type: Pref. Hash Algorithms
005c              08 0a        Hash Algos: [SHA2-256 SHA2-512]
005e                    04     sbpkt length
005f                       16  sbpkt type: Pref. Compression
0060  00 02 01                 Compress Algos: [none ZLIB ZIP]
0063           02              sbpkt length
0064              1b           sbpkt type: Key Flags
0065                 03        Key Flags: {certify, sign}
0066                    02     sbpkt length
0067                       1e  sbpkt type: Features
0068  09                       Features: {SEIPDv1, SEIPDv2}
0069     0d                    sbpkt length
006a        27                 sbpkt type: Pref. AEAD Ciphersuites
006b           09 03           [AES256-GCM
006d                 07 03      AES128-GCM
006f                       09   AES256-EAX
0070  01
0071     07 01                  AES128-EAX
0073           09 02            AES256-OCB
0075                 07 02      AES128-OCB]
0077                       05  sig version
0078  ff                       sentinel octet
0079     00 00 00 00 00 00 00  trailer length
0080  2b                                              
0081
```

I wonder whether it makes sense to include something like this as an
example in the draft itself, to make it easy for implementers to check
their work with a concrete example.

We could include it with a title like "octet sequence hashed for
the direct key signature in sample certificate".  Maybe in an appendix?
Keeping such an "artwork" to 8 octets per row makes it possible to fit
it into RFC's text column-width constraints and still have a fairly
intelligble description column.

> b)
> 5222aad2131c7b739aba14d74930a6559a00000037056220d057160000002d092b06010401da470f01010740b550fd420bde0a2af2da98c8086ac75f401b9607b8cc801e308e4f252954ab519a0000003c056220d05712000000320a2b060104019755010501010740ec2ae8314d049db9cfc67f58a440f760469700509df267198045ee13c1325d7f03010807051816080000000905026220d057021b0c05ff0000000000000011

I can do the same breakdown as above for this sequence if people think
it would be useful for the documentation.

> P.S. It's a bit weird that we used SHA512 for one and SHA256 for the
> other, indeed. It seems there's some missing code for the subkey
> binding signature to use the preferred hash algorithm, which I set to
> SHA512 when generating that key, so it used the default hash for the
> curve, SHA256. We'll have to fix that too.

It's also a little bit weird that the draft's sample cert is advertising
a AEAD ciphersuite preference for GCM and EAX over OCB, given the
draft's clear preference for OCB, and that it's using SHA2-512 to sign a
certificate that advertises a preference for SHA2-256 over SHA2-512.
And it's odd that there is no symmetric cipher preference list, given
that the Features subpacket advertises support for SEIPDv1.

I'd propose the sample cert should list the following simple and fairly
narrow preferences to exercise some of the new directions that the
update is heading toward:

 - hashes: sha2-512 sha3-512 sha2-256 sha3-256
 - symmetric ciphers: aes256 aes128
 - compression: none
 - AEAD: aes256-OCB aes128-OCB

What do y'all think?  I don't think this is worth engaging in a conflict
over, as it's just an example; if folks want to keep the current values,
i'm happy to keep it as is.

    --dkg

v2.35.0 | Report a Bug | By Email | System Status