IETF Logo Mail Archive

Re: [pkix] Signature Verification and DER requirements

"Erik Andersen" <era@x500.eu> Fri, 15 May 2015 14:12 UTC

Return-Path: <era@x500.eu>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EA5181A8711 for <pkix@ietfa.amsl.com>; Fri, 15 May 2015 07:12:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.579
X-Spam-Level: **
X-Spam-Status: No, score=2.579 tagged_above=-999 required=5 tests=[BAYES_50=0.8, HELO_EQ_DK=1.009, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_SORBS_WEB=0.77] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PMT705ntyk7k for <pkix@ietfa.amsl.com>; Fri, 15 May 2015 07:12:46 -0700 (PDT)
Received: from mail04.dandomain.dk (mail04.dandomain.dk [194.150.112.204]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EAAE11A9027 for <pkix@ietf.org>; Fri, 15 May 2015 07:12:39 -0700 (PDT)
Received: from Morten ([62.44.135.25]) by mail04.dandomain.dk (DanDomain Mailserver) with ASMTP id 4201505151612365525 for <pkix@ietf.org>; Fri, 15 May 2015 16:12:36 +0200
From: Erik Andersen <era@x500.eu>
To: 'IETF PKIX' <pkix@ietf.org>
References: <9A043F3CF02CD34C8E74AC1594475C73AB020EBB@uxcn10-tdc05.UoA.auckland.ac.nz>
In-Reply-To: <9A043F3CF02CD34C8E74AC1594475C73AB020EBB@uxcn10-tdc05.UoA.auckland.ac.nz>
Date: Fri, 15 May 2015 16:12:32 +0200
Message-ID: <000001d08f19$3210caa0$96325fe0$@x500.eu>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 15.0
Thread-Index: AQJTWJbGz2/yhOHJtiOftGAx2g1knJx3JK1w
Content-Language: en-gb
Archived-At: <http://mailarchive.ietf.org/arch/msg/pkix/jEXmtT__M6Wkq1s0L5XqMxf2gfQ>
Subject: Re: [pkix] Signature Verification and DER requirements
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 May 2015 14:12:48 -0000

As Peter states. It is confusing, and I am not sure how to get it right.

RFC 5280 in 4.1 say: For signature calculation, the data that is to be
signed is encoded using the ASN.1 distinguished encoding rules (DER). This
sentence could be read that the certificate when transmitted does not have
to be DER encoded.

Both RFC 5280 and X.509 requires an extension, which is encapsulated in  an
octet string, to be DER encoded.

We tried to make the DER encoding mandatory in a technical corrigendum, but
we got a ballot comment from Japan saying:

"The proposed change will break the backward
compatibility.
In the current (from the first to the seventh)
edition, the TBSCertificate data type may be
encoded using the BER, if it is temporally
encoded using the DER during the HASH and the
ENCRYPTED-HASH calculation.
The mandate of DER encoding will exclude such
certificates."

The Japene comment suggested the following text:

"It shall be encoded using the BER or the DER,
though the DER encoding is required when the
validation of SIGNED type is performed. It is
(strongly) recommended to use the DER at all
times, if no attention to the backward compatibility
with the earlier editions of this specification is
necessary."

Since 1997 the following has been included in X.509.

"Generating distinguished encoding requires the abstract syntax of the data
to be encoded to be fully understood. An entity may be required to sign data
or check the signature of data that is already signed or contains unknown
protocol extensions or unknown attribute syntaxes. The entity shall follow
these rules:
–	It shall preserve the encoding of received information whose
abstract syntax it does not fully know and which it expects to subsequently
sign.
–	When signing data for sending, it shall send data whose syntax it
fully knows with a distinguished encoding and any other data with its
preserved encoding, and shall sign the actual encoding it sends.
–	When checking signatures in received data, it shall check the
signature against the actual data received rather than its conversion of the
received data to a distinguished encoding."

This text seems to assume that a certificate shall always be DER encoded

I am interested in comments.

Kind regards,

Erik

-----Oprindelig meddelelse-----
Fra: pkix [mailto:pkix-bounces@ietf.org] På vegne af Peter Gutmann
Sendt: 14 May 2015 19:58
Til: IETF PKIX
Emne: Re: [pkix] Signature Verification and DER requirements

Jeffrey Walton <noloader@gmail.com> writes:

>What is the expected behavior when complying software that expects DER 
>consumes a non-DER encoded certificate during signature verification?

The expected behaviour is random, some will accept it, some will reject it.
When I say "random" I mean it really is a coin-toss, you should be OK with
not sorting the attributes in a SET OF, but there are implementations out
there that check for it and will complain about it.  My code sorts (in order
to deal with said implementations), but doesn't check for sortedness when
processing things.

Peter.
_______________________________________________
pkix mailing list
pkix@ietf.org
https://www.ietf.org/mailman/listinfo/pkix

v2.23.0 | Report a Bug | By Email