IETF Logo Mail Archive

Re: [pkix] [Technical Errata Reported] RFC6960 (6165)

Stefan Santesson <stefan@aaa-sec.com> Mon, 18 May 2020 09:15 UTC

Return-Path: <stefan@aaa-sec.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1CBC83A0A09 for <pkix@ietfa.amsl.com>; Mon, 18 May 2020 02:15:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.004
X-Spam-Level:
X-Spam-Status: No, score=0.004 tagged_above=-999 required=5 tests=[HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pmpflqeszTOL for <pkix@ietfa.amsl.com>; Mon, 18 May 2020 02:15:00 -0700 (PDT)
Received: from smtp.outgoing.loopia.se (smtp.outgoing.loopia.se [93.188.3.37]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1B4323A09DA for <pkix@ietf.org>; Mon, 18 May 2020 02:14:59 -0700 (PDT)
Received: from s807.loopia.se (localhost [127.0.0.1]) by s807.loopia.se (Postfix) with ESMTP id 3B4E52F6456C for <pkix@ietf.org>; Mon, 18 May 2020 11:14:54 +0200 (CEST)
Received: from s645.loopia.se (unknown [172.22.191.5]) by s807.loopia.se (Postfix) with ESMTP id 153262E6FC50; Mon, 18 May 2020 11:14:54 +0200 (CEST)
Received: from s473.loopia.se (unknown [172.22.191.6]) by s645.loopia.se (Postfix) with ESMTP id DF7C0156E582; Mon, 18 May 2020 11:14:53 +0200 (CEST)
X-Virus-Scanned: amavisd-new at amavis.loopia.se
Received: from s645.loopia.se ([172.22.191.5]) by s473.loopia.se (s473.loopia.se [172.22.190.13]) (amavisd-new, port 10024) with LMTP id NrBRNHJWXDfz; Mon, 18 May 2020 11:14:52 +0200 (CEST)
X-Loopia-Auth: user
X-Loopia-User: mailstore2@aaa-sec.com
X-Loopia-Originating-IP: 85.235.7.89
Received: from [192.168.2.54] (gw.aaa-sec.ideon.se [85.235.7.89]) (Authenticated sender: mailstore2@aaa-sec.com) by s645.loopia.se (Postfix) with ESMTPSA id 78353156E4A3; Mon, 18 May 2020 11:14:51 +0200 (CEST)
User-Agent: Microsoft-MacOutlook/16.37.20051002
Date: Mon, 18 May 2020 11:14:50 +0200
From: Stefan Santesson <stefan@aaa-sec.com>
To: yury@strozhevsky.com, Erwann Abalea <eabalea@gmail.com>
CC: RFC Errata System <rfc-editor@rfc-editor.org>, ambarish@gmail.com, cadams@eecs.uottawa.ca, kaduk@mit.edu, Stephen Kent <kent@bbn.com>, mmyers@fastq.com, none@rfc-editor.org, pkix@ietf.org, rdd@cert.org, slava.galperin@gmail.com, sts@aaa-sec.com
Message-ID: <475D361F-8875-445F-96CA-5A4F85477D38@aaa-sec.com>
Thread-Topic: [pkix] [Technical Errata Reported] RFC6960 (6165)
References: <20200511121547.17072F4071E@rfc-editor.org> <2013D511-BCF9-4D2C-9331-AA8203235F5F@aaa-sec.com> <cbf5a813fee47f622f34e6c049957228@strozhevsky.com> <CA+i=0E5AdeTwXh41r6=BoqFsaJxyj27n_v2yj0QKk7uX1jFdFQ@mail.gmail.com> <56396ec5c59f0f9b372e79612bf0b13b@strozhevsky.com> <CA+i=0E7=ydQn6QZjU=Mf3YsQYosceTgLW3Tuh5_MRFiDtQu4Yw@mail.gmail.com> <d061c43789382bab4474f211f1fce973@strozhevsky.com>
In-Reply-To: <d061c43789382bab4474f211f1fce973@strozhevsky.com>
Mime-version: 1.0
Content-type: multipart/alternative; boundary="B_3672645291_455865697"
Archived-At: <https://mailarchive.ietf.org/arch/msg/pkix/LYxAMMSH2xjJ2kijMpRuyLYThow>
Subject: Re: [pkix] [Technical Errata Reported] RFC6960 (6165)
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 May 2020 09:15:04 -0000

Yury,

 

I don’t believe that you would settle with an even “better” explanation, so I won’t attempt one.

 

I hope the rest of us can agree that the standard text clearly intends to say that the hash is calculated over the unencoded object and not its encoding.

This is less perfectly described in the general text and more accurately described in the normative ASN.1 comment.

 

Let’s just settle with editorial and put this one to rest.

 

Stefan Santesson 

 

From: <yury@strozhevsky.com>
Date: Monday, 18 May 2020 at 07:49
To: Erwann Abalea <eabalea@gmail.com>
Cc: RFC Errata System <rfc-editor@rfc-editor.org>, Stefan Santesson <stefan@aaa-sec.com>, <ambarish@gmail.com>, <cadams@eecs.uottawa.ca>, <kaduk@mit.edu>, Stephen Kent <kent@bbn.com>, <mmyers@fastq.com>, <none@rfc-editor.org>, <pkix@ietf.org>, <rdd@cert.org>, <slava.galperin@gmail.com>, <sts@aaa-sec.com>
Subject: Re: [pkix] [Technical Errata Reported] RFC6960 (6165)

 

Hello Erwan,

The deal it that in case of RFC6960 we have not an abstract "hash something", but a direct explanation that should be hashed ASN.1 BIT STRING without tag and length. 

KeyHash ::= OCTET STRING -- SHA-1 hash of responder's public key
    (excluding the tag and length fields)

The "responder's public key" is NOT an abstract "bits representing a key", but a ASN.1 BIT STRING value (having DER encoding, btw, please forget about other *ERs). And thus we have this definition of KeyHash:

KeyHash = SHA-1 hash of ASN.1 BIT STRING DER encoded object without tag and length ASN.1 blocks (=> hash of pure ASN.1 BIT STRING DER encoded "Value" block, with "unused bits" byte)

Again: the "responder's public key" is NOT an "abstract bits representing a key", but an ASN.1 BIT STRING DER encoded object. Nowhere in RFC6960 stated other description of "responder's public key". 

The RFC6960 (as any other RFC, I do hope so) is a strictly technical documentation. It is not about "guessing" but a technical description. And the RFC has two different (from technical perspective) descriptions of the same ASN.1 type KeyHash.

 

Best regards,

Yury Strozhevsky

 

Erwann Abalea писал 2020-05-16 15:31:

Bonjour Yuri, 

 

ASN.1 and encoding rules are different but related standards. Therefore, yes, the encoding is not part of the ASN.1 object.

 

If your bit string is of length 0 (i.e. is empty), then its DER encoding will still have this "unused bits" part (and the encoding is then "03 01 00"). Yet, your object is empty, so this octet is not part of it, it's only here to help correctly represent it on the wire because the chosen encoding rules express lengths in octets. See it as an extension to the L field in the TLV triplet.

Please refer to X.690 clause 8.6.2 to see the difference between the content octets composing the primitive encoding and the bit string value.

 

If we had used the PER encoding, this "unused bits" element wouldn't exist (because PER encodes the length in bits for this object type). The example given in my first email, encoded in PER, gives "35 00000000000000", and its encoding could lose 3 bits depending on the variant (UNALIGNED vs ALIGNED) and the object encoded right after it.

 

If XER encoding had be chosen, there wouldn't be any L field, and the bits themselves would be encoded as individual characters (0 or 1).

 

Le sam. 16 mai 2020 à 07:22, <yury@strozhevsky.com> a écrit :

Hello Erwann!

Could you, please, explain "the first octet (unused bits) is not part of the ASN.1 object, it's only part of its encoding"? Encoding is not a part of ASN.1 object?

You are saying "is not part of the ASN.1 object" but right before it said "the first octet". First octet is not a part of BIT STRING value?

 

Best regards,

Yury Strozhevsky

 

Erwann Abalea писал 2020-05-16 04:52:

I also think the errata is editorial.

 

In a BIT STRING encoding, the first octet (unused bits) is not part of the ASN.1 object, it's only part of its encoding.

 

The following hex strings are all valid BER encodings for a BIT STRING composed of 53 bits set to zero:

03 08 03 00000000000000

03 08 03 00000000000007

23 0D 03 02 00 00 03 07 03 000000000000

23 0D 03 02 00 00 03 07 03 000000000007

23 80 03 05 00 00000000 03 04 03 000000 0000

23 80 03 05 00 00000000 03 04 03 000007 0000

 

What is hashed is not the different encodings, but the BIT STRING value.

In the preceding examples, only the first one is a valid DER encoding. And if you hash the 7 octets after the "unused bits" octet, you'll obtain a wrong hash, because the value is 53 bits long, not 56.

 

Le jeu. 14 mai 2020 à 19:11, <yury@strozhevsky.com> a écrit :

Hello All,

Let me explain some details. Firstly I need to say that I already wrote 
a couple of mails to RFC6960 authors and discussed it a little. From 
these discussions I got that before we would start our discussion I need 
to provide you some technical details.

the main problem is that in RFC6960 there are two different description 
for the same type KeyHash. First description is in 4.2.1 "ASN.1 
Specification of the OCSP Response" of RFC6960:

    KeyHash ::= OCTET STRING -- SHA-1 hash of responder's public key
    (excluding the tag and length fields)

And second is from Appendix B.1 "OCSP in ASN.1 - 1998 Syntax" of 
RFC6960:

KeyHash ::= OCTET STRING -- SHA-1 hash of responder's public key
                          -- (i.e., the SHA-1 hash of the value of the
                          -- BIT STRING subjectPublicKey [excluding
                          -- the tag, length, and number of unused
                          -- bits] in the responder's certificate)

Then I need to clarify why these two descriptions are not the same. 
Firstly I need to describe ASN.1 type BIT STRING. As all other ASN.1 
types BIT STRING consists of three main parts: "Tag", "Length" and 
"Value" (TLV). But a specific for BIT STRING is that "Value" itself 
devided on two parts: first byte designates "unused bits" (this value 
could be 0-7) and the rest is bits describing bits.
So, when we are saying "SHA-1 hash of responder's key (excluding the tag 
and length fields)" we do assume that SHA-1 hash should be for BIT 
STRING ASN.1 value excluding the "Tag" and "Length" fields (responder's 
key has type BIT STRING). Thus the SHA-1 hash should be for entire 
"Value" block of BIT STRING, with "unused bits" byte (the very first 
byte in BIT STRING "Value" block).

In opposite when we are saying " the SHA-1 hash of the value of the BIT 
STRING subjectPublicKey [excluding the tag, length, and number of unused 
bits] in the responder's certificate" we do assume that SHA-1 hash 
should be for BIT STRING ASN.1 value excluding Tag, Length and the very 
first byte from "Value" (unused bits).

Do you understand that two SHA-1 hashes made using these two 
descriptions of KeyHash would be different? Or I would need to provide 
you a real example with responder's public key values? Feel free to ask 
me for the example.

As a conclusion: the RFC6960 has two descriptions of the same type and a 
hash produced using these two descriptions would have different values. 
This is a mistake. I do not really care how you would fix it and what 
description for KeyHash is correct. But I want to have a correct 
standard for OCSP.

As an addition I found that Appendix B.1 and Appendix B.2 have different 
description for KeyHash. It is the same ASN.1 description, but different 
in comment describing the SHA-1 calculation process. The Appendix B.2, 
in fact, describes KeyHash calculation similar with RFC2560. But 
Appendix B.1 describes new way of KeyHash calculation. Even if these two 
appendicies are not aligned allows me to consider the errata change as 
"technical".

Moreover, RFC6960 changes OCSP protocol in part of KeyHash calculation, 
but it is never stated in any part of RFC6960. So, even if someone says 
"calculation is obvious" but the problem that for KeyHash there is 
"specifying comment". And exactly that "specifying comment" clearly 
specify how to calculate KeyHash. But in RFC6960 there are two different 
"ways of calculating KeyHash" (two different "specifying comments"). 
This is also not an "editorial problem", this is clearly a problem in 
technical description.

Best regards,
Yury Strozhevsky



Stefan Santesson писал 2020-05-11 16:59:
> I respond to all of these erratas collectivey (which I believe should
> be consolidated to 1 and not 3 erratas)
> 
> I think the observation is correct, but I think it is editorial rather
> than technical.
> 
> The normative text is that the KeyHash is the hash of the public key.
> This is in itself clear an unambiguous.
> The imperfection here is not in the normative text, but in the
> explanation where the explanation in B.1 is the most accurate and
> detaild.
> The other shorter explanations are not wrong, but insufficient compared 
> with B.1
> 
> Please also note that a similar definition exist for the 
> "issuerKeyHash" like:
> 
> issuerKeyHash      OCTET STRING, -- Hash of issuer's public key
> 
> 
> I think this is editorial
> 
> 
> 
> Stefan Santesson
> 
> On 2020-05-11, 14:16, "RFC Errata System" <rfc-editor@rfc-editor.org> 
> wrote:
> 
>     The following errata report has been submitted for RFC6960,
>     "X.509 Internet Public Key Infrastructure Online Certificate
> Status Protocol - OCSP".
> 
>     --------------------------------------
>     You may review the report below and at:
>     https://www.rfc-editor.org/errata/eid6165
> 
>     --------------------------------------
>     Type: Technical
>     Reported by: Yury Strozhevsky <yury@strozhevsky.com>
> 
>     Section: 1
> 
>     Original Text
>     -------------
>     ---
> 
>     Corrected Text
>     --------------
>        o  Appendix B.1 provides correct KeyHash type processing
> description. Now SHA-1 hash must be calculated for responder's public
> key ASN.1 value without tag, length and unused bits.
> 
> 
>     Notes
>     -----
>     The RFC6960 changes OCSP protocol in part of KeyHash type
> calculation. In RFC2560 there is the description:
>        KeyHash ::= OCTET STRING -- SHA-1 hash of responder's public key
>        (excluding the tag and length fields)
> 
>     But in Appendix B.1, which is the major OCSP descriptive module, 
> stated:
>     KeyHash ::= OCTET STRING -- SHA-1 hash of responder's public key
>                              -- (i.e., the SHA-1 hash of the value of 
> the
>                              -- BIT STRING subjectPublicKey [excluding
>                              -- the tag, length, and number of unused
>                              -- bits] in the responder's certificate)
> 
>     The difference is in what would be under SHA-1 hash. In RFC2560
> KeyHash would be calculated for entire BIT STRING value, with "unused
> bits" byte (first byte in BIT STRING value), but Appendix B.1 in
> RFC6960 states that SHA-1 hash must be calculated for BIT STRING value
> without "unused bits".
> 
>     Instructions:
>     -------------
>     This erratum is currently posted as "Reported". If necessary, 
> please
>     use "Reply All" to discuss whether it should be verified or
>     rejected. When a decision is reached, the verifying party
>     can log in to change the status and edit the report, if necessary.
> 
>     --------------------------------------
>     RFC6960 (draft-ietf-pkix-rfc2560bis-20)
>     --------------------------------------
>     Title               : X.509 Internet Public Key Infrastructure
> Online Certificate Status Protocol - OCSP
>     Publication Date    : June 2013
>     Author(s)           : S. Santesson, M. Myers, R. Ankney, A.
> Malpani, S. Galperin, C. Adams
>     Category            : PROPOSED STANDARD
>     Source              : Public-Key Infrastructure (X.509)
>     Area                : Security
>     Stream              : IETF
>     Verifying Party     : IESG

_______________________________________________
pkix mailing list
pkix@ietf.org
https://www.ietf.org/mailman/listinfo/pkix

-- 

Erwann.

 


 

-- 

Erwann.

v2.23.0 | Report a Bug | By Email