Re: [pkix] Clarification on "zero" hash value in SigPolicyHash (CAdES)

Stefan Santesson <stefan@aaa-sec.com> Mon, 15 July 2019 08:21 UTC

Return-Path: <stefan@aaa-sec.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E077612001E for <pkix@ietfa.amsl.com>; Mon, 15 Jul 2019 01:21:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.597
X-Spam-Level:
X-Spam-Status: No, score=-2.597 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2sYR4Ni8K9wS for <pkix@ietfa.amsl.com>; Mon, 15 Jul 2019 01:21:55 -0700 (PDT)
Received: from smtp.outgoing.loopia.se (smtp.outgoing.loopia.se [194.9.95.112]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3BB1A120074 for <pkix@ietf.org>; Mon, 15 Jul 2019 01:21:54 -0700 (PDT)
Received: from s554.loopia.se (localhost [127.0.0.1]) by s554.loopia.se (Postfix) with ESMTP id 19DE11F18620 for <pkix@ietf.org>; Mon, 15 Jul 2019 10:21:52 +0200 (CEST)
Received: from s499.loopia.se (unknown [172.21.200.35]) by s554.loopia.se (Postfix) with ESMTP id EFD3E794AEA; Mon, 15 Jul 2019 10:21:51 +0200 (CEST)
Received: from s473.loopia.se (unknown [172.22.191.6]) by s499.loopia.se (Postfix) with ESMTP id EB0A11CDADEC; Mon, 15 Jul 2019 10:21:51 +0200 (CEST)
X-Virus-Scanned: amavisd-new at amavis.loopia.se
Received: from s500.loopia.se ([172.22.191.5]) by s473.loopia.se (s473.loopia.se [172.22.190.13]) (amavisd-new, port 10024) with LMTP id zO0xaDXkgV69; Mon, 15 Jul 2019 10:21:51 +0200 (CEST)
X-Loopia-Auth: user
X-Loopia-User: mailstore2@aaa-sec.com
X-Loopia-Originating-IP: 85.235.7.89
Received: from [192.168.1.217] (gw.aaa-sec.ideon.se [85.235.7.89]) (Authenticated sender: mailstore2@aaa-sec.com) by s500.loopia.se (Postfix) with ESMTPSA id 584101E1460C; Mon, 15 Jul 2019 10:21:51 +0200 (CEST)
User-Agent: Microsoft-MacOutlook/10.1a.0.190609
Date: Mon, 15 Jul 2019 10:21:51 +0200
From: Stefan Santesson <stefan@aaa-sec.com>
To: Niklas Matthies <pkix@nmhq.net>, <pkix@ietf.org>
Message-ID: <A17C1A7A-F0D4-4347-B51C-4F432B385511@aaa-sec.com>
Thread-Topic: [pkix] Clarification on "zero" hash value in SigPolicyHash (CAdES)
References: <20190712200549.2kgzjqodj5afnxlt@nmhq.net>
In-Reply-To: <20190712200549.2kgzjqodj5afnxlt@nmhq.net>
Mime-version: 1.0
Content-type: text/plain; charset="UTF-8"
Content-transfer-encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/pkix/6-uzBm2KQDtAvP8V6Xy1yzNllmU>
Subject: Re: [pkix] Clarification on "zero" hash value in SigPolicyHash (CAdES)
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Jul 2019 08:21:58 -0000

Hi Niklas,

A very interesting question to which I have absolutely no answer. But I have forwarded your question to the ESI group in ETSI who wrote that standard as I'm still a member of that group.
I'll forward any answer I can get out of this group


Stefan Santesson 

On 2019-07-12, 22:07, "pkix on behalf of Niklas Matthies" <pkix-bounces@ietf.org on behalf of pkix@nmhq.net>; wrote:

    Dear all,
    
    I hope that someone can shed some light on the definition and origin 
    of the special-case "zero" hash value for SigPolicyHash in CAdES. The 
    main question is what exactly constitutes a "zero" hash value on the 
    ASN.1 level.
    
    In the most current CAdES specification, ETSI EN 319 122-1 V1.1.1 
    (2016-04), the zero hash value is described as follows (clause 
    5.2.9.1, page 20): 
        
        The sigPolicyHash field shall contain the identifier of the hash 
        algorithm and the hash of the value of the signature policy.
        The hashValue within the sigPolicyHash may be set to zero to 
        indicate that the policy hash value is not known.
    
            NOTE: The use of a zero-sigPolicyHash value is to ensure 
            backwards compatibility with earlier versions of ETSI TS 101 733 [1].
    
    The ASN.1 definition of SigPolicyHash is as follows:
    
        SignaturePolicyId ::= SEQUENCE {
            sigPolicyId SigPolicyId,
            sigPolicyHash SigPolicyHash,
            sigPolicyQualifiers SEQUENCE SIZE (1..MAX) OF 
                SigPolicyQualifierInfo OPTIONAL
        }
    
        SigPolicyHash ::= OtherHashAlgAndValue
    
        OtherHashAlgAndValue ::= SEQUENCE {
            hashAlgorithm   AlgorithmIdentifier,
            hashValue       OtherHashValue }
    
        OtherHashValue ::= OCTET STRING
    
    The question is what constitutes a "zero" hash value. A zero-length 
    octet string? Any octet string where all octets are zero? Is the 
    length of the octet string relevant, e.g. can or should it match the 
    length implied by the hash algorithm?
    
    I spent some time going back the history of the standards to find the 
    "earlier version" relevant for the note about backwards compatibility, 
    however that search was inconclusive.
    
    All versions of ETSI TS 101 733 from the latest V2.2.1 (2013-04) back 
    to V1.7.4 (2008-07) include the following note, which had a second 
    sentence added:
    
            NOTE: The use of a zero-sigPolicyHash value is to ensure 
            backwards compatibility with earlier versions of the
            current document. If sigPolicyHash is zero, then the hash 
            value should not be checked against the calculated hash value 
            of the signature policy.
    
    Confusingly, this now talks about sigPolicyHash being zero (whatever that 
    would mean), not about the hashValue field within sigPolicyHash.
    
    The same text appears in RFC 5126 (February 2008).
    
    The previous version ETSI TS 101 733 V1.7.3 (2007-01) is the first 
    version to talk about a zero hash value, and the note is just one 
    sentence again:
    
        The hashValue within the sigPolicyHash max [sic] be set to zero to 
        indicate that the policy hash value is not known.
    
            NOTE: The use of zero policy hash value is to ensure backward 
            compatibility with earlier versions of the current document.
    
    In addition, the annex states the following:
    
        Annex K (informative): Changes from the previous version
    
            • if the hash of the signature policy is unknown, then, by 
            convention, the sigPolicyHash shall be set to all zero
    
    Here again, the annex talks about sigPolicyHash being set to zero, 
    not the hashValue within sigPolicyHash.
    
    On the RFC side, the same note first appears in 
    https://tools.ietf.org/html/draft-ietf-smime-cades-02 (May 2007), 
    and the sentence above (without the note) first appears in 
    https://tools.ietf.org/html/draft-ietf-smime-cades-01 (April 2006).
    
    In the previous ETSI TS 101 733 V1.6.3 (2005-09), the sigPolicyHash 
    field is optional (which is mandatory in all previous and all 
    subsequent versions), and the following note is included:
    
            NOTE: In the previous version of TS 101 733 (i.e. version 1.5.1) 
            sigPolicyHash was mandatory. Implementations requiring to be 
            backward compatible with version 1.5.1 and previous versions 
            of the current document MUST include SigPolicyHash.
    
    None of the previous versions, from ETSI TS 101 733 V1.5.1 (2003-12) 
    back to ETSI TS 101 733 V1.2.2 (2000-12) (the earliest version available 
    at https://www.etsi.org/deliver/etsi_ts/101700_101799/101733/), as 
    well as RFC 3126 (September 2001), do mention anything about zero hash 
    values.
    
    So it remains unclear to which specification backwards compatiblity is 
    intended. The point where the wording about zero hash values was 
    introduced suggests that this may be about V1.6.3, where the
    sigPolicyHash field was optional. However, it's not clear how a "zero" 
    hash value would achieve compatibility with the case of a missing 
    sigPolicyHash field.
    
    I would appreciate any clarification on that topic.
    
    Kind regards,
    Niklas
    
    _______________________________________________
    pkix mailing list
    pkix@ietf.org
    https://www.ietf.org/mailman/listinfo/pkix