IETF Logo Mail Archive

Possible ambiguities in encoding of signatures, encrypted keys

pgut001@cs.aucKland.ac.nz (Peter Gutmann) Mon, 12 April 1999 04:54 UTC

Received: from mail.proper.com (mail.proper.com [206.86.127.224]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id AAA13829 for <smime-archive@odin.ietf.org>; Mon, 12 Apr 1999 00:54:04 -0400 (EDT)
Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id VAA09910 for ietf-smime-bks; Sun, 11 Apr 1999 21:07:02 -0700 (PDT)
Received: from mail.student.auckland.ac.nz (mail.student.auckland.ac.nz [130.216.35.101]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id VAA09906; Sun, 11 Apr 1999 21:06:58 -0700 (PDT)
Received: from cs26.cs.auckland.ac.nz (pgut001@cs26.cs.auckland.ac.nz [130.216.36.9]) by mail.student.auckland.ac.nz (8.8.6/8.8.6/cs-master) with SMTP id QAA04716; Mon, 12 Apr 1999 16:07:02 +1200 (NZST) (sender pgut001@cs.auckland.ac.nz)
Received: by cs26.cs.auckland.ac.nz (relaymail v0.9) id <92389002120806>; Mon, 12 Apr 1999 16:07:01 (NZST)
From: pgut001@cs.aucKland.ac.nz
To: ietf-pkix@imc.org, ietf-smime@imc.org
Subject: Possible ambiguities in encoding of signatures, encrypted keys
Reply-To: pgut001@cs.aucKland.ac.nz
X-Charge-To: pgut001
X-Authenticated: relaymail v0.9 on cs26.cs.auckland.ac.nz
Date: Mon, 12 Apr 1999 16:07:01 -0000
Message-ID: <92389002120806@cs26.cs.auckland.ac.nz>
Sender: owner-ietf-smime@imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-smime/mail-archive/>
List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe>

Currently both RFC 2459 and CMS refer to RFC 2313/2437 for the encoding of RSA
signatures/encrypted data (RFC 2459, 7.2.1; CMS, 12.3.2.1 and 12.2.2 - what I'm
about to describe applies to other algorithms as well, but I'll stick with RSA
to keep it simple).  These RFC's make the assumption that the encoded value
will be of the same length as the modulus, zero-padding the value if required
(RFC 2437, 7.2.1 and 8.1.1), however when this padding is used the encoded
value doesn't follow the DER any more.  Although neither RFC 2459 or CMS
require this, the former does imply it when it says (Section 4) "the
certificate is encoded with the ASN.1 distinguished encoding rules (DER)".
Because the signature will be zero-padded a small portion of the time as per
RFC 2313/2437, it's not a DER-encoded value.  In addition I would suspect that
most implementations don't perform the zero-padding (although it's hard to
check because it occurs only about once every 256 times), so they wouldn't
comply with RFC 2313/2437.
 
The zero-padding requirement isn't something which is right or wrong one way or
the other, not padding means you get DER-compliant encodings, but padding is
necessary to allow one-pass encoding of CMS data (unless you use the indefinite
encoding all the way down) since the signature at the end of an arbitrary
amount of data could suddenly shrink by one (or more) bytes, requiring
everything to be re-encoded from the start.
 
To clear up this problem, I'd recommend the following:
 
Change the text in RFC 2459, section 4, to read:
 
  "the tbsCertificate is encoded with the ASN.1 distinguished encoding rules
   (DER)"
 
and add the following text wherever a reference to RFC 2313/2437 is made (I've
listed the section numbers above):
 
  Although RFC 2313/2437 requires that the encoded values be zero-padded to
  match the size of the modulus, this padding doesn't comply with the ASN.1
  distinguished encoding rules (DER) which allow at most one leading zero byte,
  and only if the MSB of the value is set.  Some implementations may choose to
  pad the value as per the RFC's, others may choose to follow the DER.  Both of
  these encoding forms are acceptable, and implementations should be able to
  process both zero-padded and non-padded values.
 
If necessary I guess RFC 2459 could be a bit more strict (always require DER),
but CMS should allow both forms since, as I've outlined above, requiring DER
would make one-pass encoding impossible.
 
Peter.

v2.43.4 | Report a Bug | By Email | System Status