IETF Logo Mail Archive

Re: [pkix] Signature Verification and DER requirements

"Erik Andersen" <era@x500.eu> Sat, 16 May 2015 07:16 UTC

Return-Path: <era@x500.eu>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CFB601B2A7C for <pkix@ietfa.amsl.com>; Sat, 16 May 2015 00:16:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.778
X-Spam-Level: *
X-Spam-Status: No, score=1.778 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, HELO_EQ_DK=1.009, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_SORBS_WEB=0.77] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yq_Av9mh8omY for <pkix@ietfa.amsl.com>; Sat, 16 May 2015 00:16:00 -0700 (PDT)
Received: from mail04.dandomain.dk (mail04.dandomain.dk [194.150.112.204]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1AD551ACE7E for <pkix@ietf.org>; Sat, 16 May 2015 00:15:59 -0700 (PDT)
Received: from Morten ([62.44.135.25]) by mail04.dandomain.dk (DanDomain Mailserver) with ASMTP id 4201505160915548713 for <pkix@ietf.org>; Sat, 16 May 2015 09:15:54 +0200
From: Erik Andersen <era@x500.eu>
To: PKIX <pkix@ietf.org>
References: <9A043F3CF02CD34C8E74AC1594475C73AB020EBB@uxcn10-tdc05.UoA.auckland.ac.nz> <000001d08f19$3210caa0$96325fe0$@x500.eu> <CAH8yC8m6V1=PtSua5q5ZWXFY+WnUwdiV_cyoyXyMDeT0iByH_g@mail.gmail.com> <25f0ef53824f44589e5e2b36fa40a8d6@svaexch1.cygnacom.com>
In-Reply-To: <25f0ef53824f44589e5e2b36fa40a8d6@svaexch1.cygnacom.com>
Date: Sat, 16 May 2015 09:15:55 +0200
Message-ID: <000001d08fa8$268d8170$73a88450$@x500.eu>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 15.0
Thread-Index: AQJTWJbGz2/yhOHJtiOftGAx2g1knACOJ2FoAoLOhLkB7krzUpxQoWng
Content-Language: en-gb
Archived-At: <http://mailarchive.ietf.org/arch/msg/pkix/zoaKAEz51Hjwka48IAU7-OHKSmE>
Subject: Re: [pkix] Signature Verification and DER requirements
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 16 May 2015 07:16:03 -0000

It appears for me that the Japanese comment should be rejected. I will bring
that up on our own list, as that is the decision making list for X.509.

The Japanese comment implies (as I read it), as you do not whether a
received cert is DER or non-DER encoded, you need to decode it and encode it
in DER before checking the signature. In a constrained environment this
seems an unnecessary burden to put on an RP.

Jeff write that you could reject a cert because it is non-DER encoded. How
do detect that without analysing the cert in details. If you do minimum
processing, you will just discover the signature validation failed.

I brought the issue up on this list due to the level of expertise on this
list and because a thread was going on this issue.

Kind regards,

Erik

-----Oprindelig meddelelse-----
Fra: Santosh Chokhani [mailto:schokhani@cygnacom.com] 
Sendt: 15 May 2015 22:45
Til: noloader@gmail.com; Erik Andersen
Cc: IETF PKIX
Emne: RE: [pkix] Signature Verification and DER requirements

+1

-----Original Message-----
From: pkix [mailto:pkix-bounces@ietf.org] On Behalf Of Jeffrey Walton
Sent: Friday, May 15, 2015 3:40 PM
To: Erik Andersen
Cc: IETF PKIX
Subject: Re: [pkix] Signature Verification and DER requirements

On Fri, May 15, 2015 at 10:12 AM, Erik Andersen <era@x500.eu> wrote:
> As Peter states. It is confusing, and I am not sure how to get it right.
>
> ...
> I am interested in comments.
>
Maybe the easiest course is to side-step the issue altogether. The issue
here is verification, so focus on it.

Leave things the way they are related to encoding the certificate and
signing the certificate (or more correctly, tbsCertificate).

Then be explicit about how to verify it. That is, explicitly state bits
should be verified as they are received; and they should not be rearranged
to comply with anything because that will usually (always?) invalidate the
signature.

Allowing the bits to be rearranged during verification just seems wrong. It
effectively creates a potential for a DoS when there's no need for one to
exist. The security goals were met earlier, when the identity was bound to
the public key.

I also think you should give an implementation a choice during
verification: they can choose to reject a non-DER encoded certificate
because that's how things are written. But they should reject for the proper
reason: reject because its no-DER encoded; and not becuase they re-arranged
bits that caused a signature failure.

Allowing a receiver to rearrange bits and then claim the signature
verification failed is just plain wrong. They may as well have performed
'certificate[0] XOR 0x01' and claimed the certificate was tampered. There's
no difference.

Jeff

_______________________________________________
pkix mailing list
pkix@ietf.org
https://www.ietf.org/mailman/listinfo/pkix

v2.23.0 | Report a Bug | By Email