Re: [smime] Problems with versions
Carl Wallace <carl@redhoundsoftware.com> Thu, 05 May 2022 13:06 UTC
Return-Path: <carl@redhoundsoftware.com>
X-Original-To: smime@ietfa.amsl.com
Delivered-To: smime@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 24E7AC14F73D for <smime@ietfa.amsl.com>; Thu, 5 May 2022 06:06:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=redhoundsoftware.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vP2ucck3DWOF for <smime@ietfa.amsl.com>; Thu, 5 May 2022 06:06:04 -0700 (PDT)
Received: from mail-qt1-x835.google.com (mail-qt1-x835.google.com [IPv6:2607:f8b0:4864:20::835]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 92DEEC14F73E for <smime@ietf.org>; Thu, 5 May 2022 06:06:04 -0700 (PDT)
Received: by mail-qt1-x835.google.com with SMTP id k2so3069404qtp.1 for <smime@ietf.org>; Thu, 05 May 2022 06:06:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhoundsoftware.com; s=google; h=user-agent:date:subject:from:to:cc:message-id:thread-topic :references:in-reply-to:mime-version:content-transfer-encoding; bh=dyEpBfWLwL6ZPb6PTl8ocgEh2G73G5piHImgu134nmQ=; b=dE3ULfAv4zMOAc8L7TJtM2QZfRhQNaYiqwxSm6u7bU6Poi/imLm4ZvrbnDFwif695M wy6GRi3y+gpOaI5K7feR2YalaNewcsh7ov4hxLq07APKrssRueiYhj6XQe4jk/XAEeNU TCzRXUaqnbgjDwZvkhOsO2qptCNGKtnGU9+pA=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:user-agent:date:subject:from:to:cc:message-id :thread-topic:references:in-reply-to:mime-version :content-transfer-encoding; bh=dyEpBfWLwL6ZPb6PTl8ocgEh2G73G5piHImgu134nmQ=; b=CyCtqfTFZe3UpLGfqdavV5gSaqGyPOH46V79J0N2U/+QuvtPhITX9vAz+S7zL8EFNa NlinIcQ/UilRLje1WfLpe7Pt+bXb71u0nQGxTyyXOY+oO1c4aVA9NDPoo5lKnr+REQ6W hFKJ+Dd8PKpFjK8nIlhnzBfApq0+LDq+dDsvWis8PUa4Yzoxmn9Y20nxcamzy5qwxo1x n0uVW+752VQg46mK3gBTHwBnY2yrd2TctMqJjhw3wXEYXDdthtcF7hthRq9mY3d390qx K+8ZHH2JN4vi/8qBeq0Yi8i9tAGWY5LBSePAulrAE/FGgft5hviZkEzJq6r1VAsSIfdP zMIQ==
X-Gm-Message-State: AOAM533l4JiwBbv9gDu70l7mboQhb8VnCx5tQQLhXfk7czJPz86PHYwn DNPtQw/bQRjg2S/gdZoEcC8hftDmDzLtlw==
X-Google-Smtp-Source: ABdhPJwPLJslnBhBngvJq82j/O4Rr70lnJckZOXs9P3POGaURDLLfVaErZkGQ/DakhspesLtusOvrg==
X-Received: by 2002:a05:622a:507:b0:2f3:816d:6f31 with SMTP id l7-20020a05622a050700b002f3816d6f31mr24177015qtx.207.1651755963066; Thu, 05 May 2022 06:06:03 -0700 (PDT)
Received: from [192.168.2.16] (pool-173-66-88-168.washdc.fios.verizon.net. [173.66.88.168]) by smtp.gmail.com with ESMTPSA id t196-20020a37aacd000000b0069fc13ce1d7sm783804qke.8.2022.05.05.06.06.02 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 05 May 2022 06:06:02 -0700 (PDT)
User-Agent: Microsoft-MacOutlook/16.60.22041000
Date: Thu, 05 May 2022 09:06:02 -0400
From: Carl Wallace <carl@redhoundsoftware.com>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>, Russ Housley <housley@vigilsec.com>, Spasm <spasm-bounces@ietf.org>
CC: IETF SMIME <smime@ietf.org>
Message-ID: <465948BF-6A7A-4BE3-9D90-3D788E3E9273@redhoundsoftware.com>
Thread-Topic: [smime] Problems with versions
References: <SY4PR01MB6251E381603FAFE558685D86EEFE9@SY4PR01MB6251.ausprd01.prod.outlook.com> <CA16AFE1-CB97-4134-8FC9-4B8B964ACD6E@vigilsec.com> <SY4PR01MB62512D541C42E6873562A17CEEC29@SY4PR01MB6251.ausprd01.prod.outlook.com>
In-Reply-To: <SY4PR01MB62512D541C42E6873562A17CEEC29@SY4PR01MB6251.ausprd01.prod.outlook.com>
Mime-version: 1.0
Content-type: text/plain; charset="UTF-8"
Content-transfer-encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/smime/5vX8_2a1xpMPAMPY-_CkfUrvuqI>
Subject: Re: [smime] Problems with versions
X-BeenThere: smime@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: SMIME Working Group <smime.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/smime>, <mailto:smime-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/smime/>
List-Post: <mailto:smime@ietf.org>
List-Help: <mailto:smime-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/smime>, <mailto:smime-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 May 2022 13:06:09 -0000
+ LAMPS I wonder how many implementations defer the decoding of SignerInfos until after the version number is read. Mine does not, so presence of new SignerInfo or ReceipientInfo types would cause failure to parse without ever seeing the version number. I don't check the version number at all for SignedData/SignerInfo at verification time and just use whichever of SKID or issuer/serial is present. I have also never seen a v4 or v5. There aren't any extensibility markers in the places you’d need them to introduce new SignerInfo or ReceipientInfo types without breaking folks. On 5/5/22, 8:34 AM, "smime on behalf of Peter Gutmann" <smime-bounces@ietf.org on behalf of pgut001@cs.auckland.ac.nz> wrote: Russ Housley <housley@vigilsec.com> writes: >That is, an unrecognized version can save the recipient for getting a parsing >error. But they won't be getting a parsing error, see the example I gave: > SignedData { > version = 7, > digestAlgorithms, > content, > signerInfos { > signerInfo version = 7, > signerInfo version = 6, > signerInfo version = 1 > } > } If you change the SignedData version to 1 then an implementation that doesn't understand version 6 or 7 signerInfos can still process the message because there's a version 1 signerInfo present. However if you set it at 7 then the implementation is being told it can't (or shouldn't) process the message even though it can. The fact that there's some not-currently-recognised but totally processable (meaning read the header and skip the remaining payload) entry somewhere further down in the message doesn't mean that the whole message should be marked as unprocessable by an implementation. If there's any implementers still on the list, what would your code do if it encountered the above message? And what would it do if the SignedData version was 1 instead of 7? Peter. _______________________________________________ smime mailing list smime@ietf.org https://www.ietf.org/mailman/listinfo/smime
- [smime] Problems with versions Peter Gutmann
- Re: [smime] Problems with versions Russ Housley
- Re: [smime] Problems with versions Peter Gutmann
- Re: [smime] Problems with versions Carl Wallace
- Re: [smime] Problems with versions Russ Housley
- Re: [smime] Problems with versions Russ Housley
- Re: [smime] Problems with versions Carl Wallace
- Re: [smime] Problems with versions Peter Gutmann
- Re: [smime] Problems with versions Peter Gutmann
- Re: [smime] [lamps] Problems with versions Russ Housley
- Re: [smime] [lamps] Problems with versions Peter Gutmann