Re: [smime] Problems with versions
Russ Housley <housley@vigilsec.com> Mon, 02 May 2022 13:12 UTC
Return-Path: <housley@vigilsec.com>
X-Original-To: smime@ietfa.amsl.com
Delivered-To: smime@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 692A8C15E3EF for <smime@ietfa.amsl.com>; Mon, 2 May 2022 06:12:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.895
X-Spam-Level:
X-Spam-Status: No, score=-1.895 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4SdOdwsNSTjF for <smime@ietfa.amsl.com>; Mon, 2 May 2022 06:11:58 -0700 (PDT)
Received: from mail3.g24.pair.com (mail3.g24.pair.com [66.39.134.11]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BD37CC15E3E7 for <smime@ietf.org>; Mon, 2 May 2022 06:11:21 -0700 (PDT)
Received: from mail3.g24.pair.com (localhost [127.0.0.1]) by mail3.g24.pair.com (Postfix) with ESMTP id B05129C04A; Mon, 2 May 2022 09:11:20 -0400 (EDT)
Received: from [192.168.1.161] (pool-141-156-161-153.washdc.fios.verizon.net [141.156.161.153]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail3.g24.pair.com (Postfix) with ESMTPSA id 9BE6A9D416; Mon, 2 May 2022 09:11:20 -0400 (EDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.21\))
From: Russ Housley <housley@vigilsec.com>
In-Reply-To: <SY4PR01MB6251E381603FAFE558685D86EEFE9@SY4PR01MB6251.ausprd01.prod.outlook.com>
Date: Mon, 02 May 2022 09:11:19 -0400
Cc: IETF SMIME <smime@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <CA16AFE1-CB97-4134-8FC9-4B8B964ACD6E@vigilsec.com>
References: <SY4PR01MB6251E381603FAFE558685D86EEFE9@SY4PR01MB6251.ausprd01.prod.outlook.com>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
X-Mailer: Apple Mail (2.3445.104.21)
Archived-At: <https://mailarchive.ietf.org/arch/msg/smime/GLsF1VI2ygbjEJ2uAwyRtG4Q9lY>
Subject: Re: [smime] Problems with versions
X-BeenThere: smime@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: SMIME Working Group <smime.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/smime>, <mailto:smime-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/smime/>
List-Post: <mailto:smime@ietf.org>
List-Help: <mailto:smime-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/smime>, <mailto:smime-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 May 2022 13:12:02 -0000
Peter: The version should be helping the recipient. If the sender follows the MUST statements, the recipient should not find themselves in a situation where the cannot parse past the version number. That is, an unrecognized version can save the recipient for getting a parsing error. Russ > On May 1, 2022, at 11:46 AM, Peter Gutmann <pgut001@cs.auckland.ac.nz> wrote: > > This issue has just come up in the OpenPGP WG but it affects CMS as well: What > happens if you find data structures with an unexpected version number, e.g. in > SignedData or SignerInfos? Currently the spec says, for SignedData: > > IF ((certificates is present) AND > (any certificates with a type of other are present)) OR > ((crls is present) AND > (any crls with a type of other are present)) > THEN version MUST be 5 > ELSE > IF (certificates is present) AND > (any version 2 attribute certificates are present) > THEN version MUST be 4 > ELSE > IF ((certificates is present) AND > (any version 1 attribute certificates are present)) OR > (any SignerInfo structures are version 3) OR > (encapContentInfo eContentType is other than id-data) > THEN version MUST be 3 > ELSE version MUST be 1 > > and for SignerInfos: > > version is the syntax version number. If the SignerIdentifier is > the CHOICE issuerAndSerialNumber, then the version MUST be 1. If > the SignerIdentifier is subjectKeyIdentifier, then the version > MUST be 3. > > For SignerInfos this explicitly excludes any future updates because it says > the only permitted values are 1 or 3, and for SignedData 1, 3, 4, or 5, > although I can't imagine anything ever producing a signature with a version or > 4 or 5 and have never seen one used. Given that 5 refers to undefined > certificate types I can't even see *how* it could be used, and I've never seen > attribute certs used with CMS so I assume 4 is never used either. > > For the RecipientInfos the versions are similarly hardcoded, although it's a > bit more complex there, I'll skip that bit and let people refer to the spec. > > The problem this causes, apart from excluding ever updating the format, is > that there are situations when you need to process versions other than the > ones allowed in the spec. Consider a message in the following format: > > SignedData { > version = 7, > digestAlgorithms, > content, > signerInfos { > signerInfo version = 7, > signerInfo version = 6, > signerInfo version = 1 > } > } > > So there's a signature in there that can be processed by something that > understands version 1, but the SignedData has a version that says it can't. > In fact the SignedData spec sets a dangerous precedent: > > IF ((certificates is present) AND > (any version 1 attribute certificates are present)) OR > (any SignerInfo structures are version 3) OR > (encapContentInfo eContentType is other than id-data) > THEN version MUST be 3 > ELSE version MUST be 1 > > Assuming you have an implementation that understands version n (in this > example 1) but not n + m (in this case 3), a SignedData with both version 1 > and version 3 SignerInfo, of which version 1 can be processed by the > implementation, would be marked with a SignedData version of 3, which can't. > Extending this to some future SignerInfo version x, the SignedData would also > be marked as x even if a version 1 SignerInfo was present alongside the > version x SignerInfo, making it non-processable by an implementation. > > To fix at least some of this, the Encrypted/Signed/whateverData versions > should not be dependent on the Signer/RecipientInfo versions: The xxxData > format stays the same no matter what the Signer/RecipientInfo versions are, so > unless the format of the xxxData changes there should only be one version > necessary. This allows future updates for new Signer/RecipientInfo versions > without breaking every implementation that only allows the currently-defined > xxxData versions. > > This also fixes the problem with forwards-compatibility, because now if you > see an xxxData with an unknown version type you know that it's something you > actually can't process, rather than an indication that it's something you may > be perfectly capable of processing but that some obscure field fifteen levels > down has been set to A rather than B and so the sender had to change the > version number because of this. > > The second issue, currently being debated on OpenPGP, is how you handle a > situation like: > > signerInfos { > signerInfo version = 7, > signerInfo version = 6, > signerInfo version = 1 > } > > Do you report a bad-signature result for the first two? An unknown status? > If the third one verifies, do you report it as an overall verification? Best > two of three? > > If you're having trouble seeing this is anything other than an abstract > problem, assume you're being asked to write a spec for a new key transport or > signature type, i.e. Signer/RecipientInfo, that can't be handled by the > current format. How will you add this in a manner that doesn't break every > existing implementation? > > Peter. > > _______________________________________________ > smime mailing list > smime@ietf.org > https://www.ietf.org/mailman/listinfo/smime
- [smime] Problems with versions Peter Gutmann
- Re: [smime] Problems with versions Russ Housley
- Re: [smime] Problems with versions Peter Gutmann
- Re: [smime] Problems with versions Carl Wallace
- Re: [smime] Problems with versions Russ Housley
- Re: [smime] Problems with versions Russ Housley
- Re: [smime] Problems with versions Carl Wallace
- Re: [smime] Problems with versions Peter Gutmann
- Re: [smime] Problems with versions Peter Gutmann
- Re: [smime] [lamps] Problems with versions Russ Housley
- Re: [smime] [lamps] Problems with versions Peter Gutmann