IETF Logo Mail Archive

Re: [pkix] Signature Verification and DER requirements

Jeffrey Walton <noloader@gmail.com> Mon, 18 May 2015 16:48 UTC

Return-Path: <noloader@gmail.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 63D971A1A80 for <pkix@ietfa.amsl.com>; Mon, 18 May 2015 09:48:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.7
X-Spam-Level:
X-Spam-Status: No, score=0.7 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ewo9-QUebtPy for <pkix@ietfa.amsl.com>; Mon, 18 May 2015 09:48:31 -0700 (PDT)
Received: from mail-ig0-x236.google.com (mail-ig0-x236.google.com [IPv6:2607:f8b0:4001:c05::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 958881A040B for <pkix@ietf.org>; Mon, 18 May 2015 09:48:31 -0700 (PDT)
Received: by igcau1 with SMTP id au1so52669702igc.1 for <pkix@ietf.org>; Mon, 18 May 2015 09:48:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:reply-to:in-reply-to:references:date:message-id :subject:from:to:cc:content-type; bh=csHLxZQjaVb/hoXlUJi+c3h5IfOkcDgCEIzg1MXvSbo=; b=Y7UEH0wFEXSQ8nSibmaNC5oQJKLan27rh5OlRz6nOfUZWgnb0b/3HykowaL9ZR8OKm tmnfdEVTSiXW3gnZlOiI9aghhaX+8oZmhCR+OSLwTd2sub2e1nZ8U2C/VuMGjJLCoJcY +qz56x91lx0FLCkg1WFk1iWygFNGybE7RZGKpFE4rYosM6LkYON8OrvAdUaGEAktK5fL T7C9FFedsNxUUo01/l614VmnTZaWHfmwNHOYTxrUPkpPAj9bLYjmqXakflStEswLsI+7 s6sPpHTJotQv92mi+Hao4Lh/ulsd8RlvYbGmjfHk3UJXC64aotDBPGpEVoYufsnCNafJ ylGg==
MIME-Version: 1.0
X-Received: by 10.107.157.130 with SMTP id g124mr351921ioe.11.1431967711033; Mon, 18 May 2015 09:48:31 -0700 (PDT)
Received: by 10.36.77.15 with HTTP; Mon, 18 May 2015 09:48:30 -0700 (PDT)
In-Reply-To: <000001d08fa8$268d8170$73a88450$@x500.eu>
References: <9A043F3CF02CD34C8E74AC1594475C73AB020EBB@uxcn10-tdc05.UoA.auckland.ac.nz> <000001d08f19$3210caa0$96325fe0$@x500.eu> <CAH8yC8m6V1=PtSua5q5ZWXFY+WnUwdiV_cyoyXyMDeT0iByH_g@mail.gmail.com> <25f0ef53824f44589e5e2b36fa40a8d6@svaexch1.cygnacom.com> <000001d08fa8$268d8170$73a88450$@x500.eu>
Date: Mon, 18 May 2015 12:48:30 -0400
Message-ID: <CAH8yC8kdt3+Da1GvGPPOutZRG=H=UUuXGgQ91yX0sVvjRe3wUg@mail.gmail.com>
From: Jeffrey Walton <noloader@gmail.com>
To: Erik Andersen <era@x500.eu>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/pkix/NOaVkf6zq_lCAHwFg7rxwJp7sSE>
Cc: PKIX <pkix@ietf.org>
Subject: Re: [pkix] Signature Verification and DER requirements
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: noloader@gmail.com
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 May 2015 16:48:33 -0000

Hi Erik,

> Jeff write that you could reject a cert because it is non-DER encoded. How
> do detect that without analysing the cert in details. If you do minimum
> processing, you will just discover the signature validation failed.

If I was implementing this, here's how I would approach it:

  (1) verify the signature on the certificate without "deeply" parsing
the certificate.
  (2) accept BER/CER/DER because they are just presentation formats

I can get away with (1) because I already know the signer and the
signer's key. I don't use the browser/internet security model, and I
don't need to go rummaging around for signers and keys.

Many others can get away without rummaging for signers and keys, too.
A well configured server sends the certificates required for a chain
in a particular order. They do that to avoid the "which directory"
problem. So the answers are often at your fingertips without the need
to go hunting for signers and keys.

For (2), BER/CER/DER is just a presentation format. It adds nothing to
the security goals, and it takes nothing away from the security goals.
The best I can tell, its useless criteria because it has 0 impact on
security.

For what its worth, I would reject an end-entity certificate if a
server did *not* send the proper chain. We often need the chain to
avoid the "which directory" and the "deep parsing" problems. To me,
that's a valid reason to reject because it affects our ability to
verify a signature, which is completely security related.

Jeff

On Sat, May 16, 2015 at 3:15 AM, Erik Andersen <era@x500.eu> wrote:
> It appears for me that the Japanese comment should be rejected. I will bring
> that up on our own list, as that is the decision making list for X.509.
>
> The Japanese comment implies (as I read it), as you do not whether a
> received cert is DER or non-DER encoded, you need to decode it and encode it
> in DER before checking the signature. In a constrained environment this
> seems an unnecessary burden to put on an RP.
>
> Jeff write that you could reject a cert because it is non-DER encoded. How
> do detect that without analysing the cert in details. If you do minimum
> processing, you will just discover the signature validation failed.
>
> I brought the issue up on this list due to the level of expertise on this
> list and because a thread was going on this issue.
>
> Kind regards,
>
> Erik
>
> -----Oprindelig meddelelse-----
> Fra: Santosh Chokhani [mailto:schokhani@cygnacom.com]
> Sendt: 15 May 2015 22:45
> Til: noloader@gmail.com; Erik Andersen
> Cc: IETF PKIX
> Emne: RE: [pkix] Signature Verification and DER requirements
>
> +1
>
> -----Original Message-----
> From: pkix [mailto:pkix-bounces@ietf.org] On Behalf Of Jeffrey Walton
> Sent: Friday, May 15, 2015 3:40 PM
> To: Erik Andersen
> Cc: IETF PKIX
> Subject: Re: [pkix] Signature Verification and DER requirements
>
> On Fri, May 15, 2015 at 10:12 AM, Erik Andersen <era@x500.eu> wrote:
>> As Peter states. It is confusing, and I am not sure how to get it right.
>>
>> ...
>> I am interested in comments.
>>
> Maybe the easiest course is to side-step the issue altogether. The issue
> here is verification, so focus on it.
>
> Leave things the way they are related to encoding the certificate and
> signing the certificate (or more correctly, tbsCertificate).
>
> Then be explicit about how to verify it. That is, explicitly state bits
> should be verified as they are received; and they should not be rearranged
> to comply with anything because that will usually (always?) invalidate the
> signature.
>
> Allowing the bits to be rearranged during verification just seems wrong. It
> effectively creates a potential for a DoS when there's no need for one to
> exist. The security goals were met earlier, when the identity was bound to
> the public key.
>
> I also think you should give an implementation a choice during
> verification: they can choose to reject a non-DER encoded certificate
> because that's how things are written. But they should reject for the proper
> reason: reject because its no-DER encoded; and not becuase they re-arranged
> bits that caused a signature failure.
>
> Allowing a receiver to rearrange bits and then claim the signature
> verification failed is just plain wrong. They may as well have performed
> 'certificate[0] XOR 0x01' and claimed the certificate was tampered. There's
> no difference.

v2.23.0 | Report a Bug | By Email