Re: [smime] PKCS#7 v1.5 vs. CMS / ContentInfo vs. EncapsulatedContentInfo based on version
Jim Schaad <ietf@augustcellars.com> Sat, 04 November 2017 05:13 UTC
Return-Path: <ietf@augustcellars.com>
X-Original-To: smime@ietfa.amsl.com
Delivered-To: smime@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B8A7813FB42 for <smime@ietfa.amsl.com>; Fri, 3 Nov 2017 22:13:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=augustcellars.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dotYwQUoz5YC for <smime@ietfa.amsl.com>; Fri, 3 Nov 2017 22:13:20 -0700 (PDT)
Received: from mail4.augustcellars.com (augustcellars.com [50.45.239.150]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CD77913FB37 for <smime@ietf.org>; Fri, 3 Nov 2017 22:13:20 -0700 (PDT)
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Content-Language: en-us
DKIM-Signature: v=1; a=rsa-sha256; d=augustcellars.com; s=winery; c=simple/simple; t=1509772397; h=from:subject:to:date:message-id; bh=dov93CLIldTAnt99RnNzEUBBb0tNttxwhrUNXEcTSR8=; b=fvpQXpU4afl1xtPXv5HYD/Ahl++vKtAfgVvbXcX6InNtzgA2W+3p/Z9Tabm3VmN4iUFsPw+VdLZ 57ZGYJ736IXeWUXiHXdAJh1z2+fsNJVXQ/OLfpMPPz9xyA63Yar2xc8Q+9ZeUA3wxO3mELACNROSA PmjISVTgD57wQ9HFBHHSqwaGU7TqZDKj9omOF2KWR6PlT0hP9sOitEWf7xlSQ4DXFlyJ0THoMYpZX MnmP+beEtsocrrOUl/WOHFUGzxmkHtWZvmjTnk9LpQX2UXqZeQPWMC7euVAUOoVz8jX9dLOxaEOUd eSnzqzd3EN9kxJy2+m1M4uK33UVWo0AfTOuw==
Received: from mail2.augustcellars.com (192.168.1.201) by mail4.augustcellars.com (192.168.1.153) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Fri, 3 Nov 2017 22:13:16 -0700
Received: from Hebrews (73.180.8.170) by mail2.augustcellars.com (192.168.0.56) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Fri, 3 Nov 2017 22:12:14 -0700
From: Jim Schaad <ietf@augustcellars.com>
To: mrex@sap.com
CC: smime@ietf.org
References: <20171103160451.AD0DB404B@ld9781.wdf.sap.corp> <001101d354d1$1cfdced0$56f96c70$@augustcellars.com> <20171103214327.2D092404B@ld9781.wdf.sap.corp>
In-Reply-To: <20171103214327.2D092404B@ld9781.wdf.sap.corp>
Date: Fri, 03 Nov 2017 22:13:11 -0700
Message-ID: <002a01d3552b$9e1ea700$da5bf500$@augustcellars.com>
MIME-Version: 1.0
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQKF3Wi9cvbMmmnh/4p3vrg5y3Oj2QJVgjNfAdAjTyqhfW3NoA==
X-Originating-IP: [73.180.8.170]
Archived-At: <https://mailarchive.ietf.org/arch/msg/smime/eMblDguz5FUfcqpHOXP-5dXyk9E>
Subject: Re: [smime] PKCS#7 v1.5 vs. CMS / ContentInfo vs. EncapsulatedContentInfo based on version
X-BeenThere: smime@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: SMIME Working Group <smime.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/smime>, <mailto:smime-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/smime/>
List-Post: <mailto:smime@ietf.org>
List-Help: <mailto:smime-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/smime>, <mailto:smime-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 04 Nov 2017 05:13:23 -0000
> -----Original Message----- > From: Martin Rex [mailto:mrex@sap.com] > Sent: Friday, November 3, 2017 2:43 PM > To: Jim Schaad <ietf@augustcellars.com> > Cc: mrex@sap.com; smime@ietf.org > Subject: Re: [smime] PKCS#7 v1.5 vs. CMS / ContentInfo vs. > EncapsulatedContentInfo based on version > > Hi Jim, > > Thanks for the reply, but this leaves me even more confused now. > > Admittedly my personal implementors experience is tiny. I once patched > support for processing rfc3161 TimeStamps into an existing PKCS#7 v1.5 > implementation, and I needed a few tweaks for the ASN.1 encoder & decoder > -- but rfc3161 uses id-ct-TSTInfo content type and version 3 rather than id-data > and version 1, so I needed tweaks for processing of EncapsulatedContentInfo. > > > Jim Schaad <ietf@augustcellars.com> wrote: > > > > To begin with, this is only a problem if you are looking at wrapping > > contents other than id-data, for id-data there is no difference. In > > both cases there is an OCTET wrapper. > > This statement looks like a self-contradiction. Either there is _no_ difference > between PKCS#7 v1.5 SignedData for id-data, then there is no wrapper. Or > there is a difference, and EncapsulatedContentInfo is used. There is zero difference in the bytes outputted by the encoder. For PKCS#7 v1.5 - id-data is defined to be an OCTET STRING - thus the emitted content is an OCTET wrapped data string For CMS - id-data is defined to not have an ASN.1 type - instead the data is directly wrapped by the OCTET wrapper that present in all SignedData objects > > > > > For things which are not id-data, there is going to be a difference > > between the two encodings in that for one an octet wrapper is there > > and for the other case it is not. I would say that you need to look > > at the content type and the type of the field and then make a decision about > what you are doing. > > Do you mean that while the PDU encoding for SignedData with id-data > ContentInfo is the same for PKCS#7 v1.5 and CMS, the actual signature (or > more precisely the hash over that id-data) is computed _differently_ for > PKCS#7 v1.5 and CMS (covering the 0x04 plus ASN.1 length field for CMS, and > omitting this for PKCS#7 v1.5) ? For PKCS #7 v1.5 - the outer ASN.1 length and tag are not included in the signature computation. This means that the exact same set of bytes are going to be hashed for an id-data object. For a non-id-data object, the bytes that would be hashed ARE different. For PKCS #7 v1.5 the tag and length are not included in the signature computation. For CMS the OCTET wrapper is not included, but all of the contents are included. This means that for CMS the tag and length of the data are included in the hash computation. Does this answer your questions? > > I wouldn't like a heuristic on decoding because it results in needlessly complex > code and seems to have an ambituity for certain id-data that conicidentally > matches the beginning of an ASN.1 DER OctetString. > > But requiring a heuristic on SignedData would be magnitudes worse, because > of significantly higher CPU cycles impact for computing and verifying two > different hashes. > > > > I will note that there is a security problem with the PKCS#7 encoding > > where the content and length bytes are not correctly protected. This > > is one of the reasons that CMS added the OCTET wrapper in all cases > > rather than just in the case of id-data. > > But "in all cases rather than just in the case of id-data" is a contradiction to the > above (with respect to the encoding). Or is this comment _not_ about the > encoding, but rather about the data which gets signed (hashed) ? > > > > > > There was never any intent that a version number of one would indicate > > that this was PKCS#7 rather than CMS. > > That sounds wrong to me. At least my copy of PKCS#7 v1.5 > (rfc2315) is _explicit_ that this version indicates PDU/protocol, and > version==1 therefore implies PKCS#7 (rfc2315) syntax/encoding > **AND** processing rules (semantics). > > https://tools.ietf.org/html/rfc2315#section-9.1 > > The fields of type SignedData have the following meanings: > > o version is the syntax version number. It shall be > 1 for this version of the document. > > > The PKCS#7 v1.5 PDU was *ALWAYS* supposed to be self-describing, and later > revisions of it to identify different syntax as well as different processing rules by > using a different version in the PDU. > > > For the particular (governmentally mandated) data exchange scenario in > Germany, they're currently using PKCS#7 v1.5 with RSA PKCS#1 v1.5, and they > want to transition to using RSA-PSS (signatures on certs and PKCS#7/CMS > SignedData) and RSA-OAEP (EvelopedData), with EndEntity certs that carry > rsaEncryption keys (so that the keys can be used for both, signature and > encryption). > > > -Martin
- [smime] PKCS#7 v1.5 vs. CMS / ContentInfo vs. Enc… Martin Rex
- Re: [smime] PKCS#7 v1.5 vs. CMS / ContentInfo vs.… Russ Housley
- Re: [smime] PKCS#7 v1.5 vs. CMS / ContentInfo vs.… Martin Rex
- Re: [smime] PKCS#7 v1.5 vs. CMS / ContentInfo vs.… Jim Schaad
- Re: [smime] PKCS#7 v1.5 vs. CMS / ContentInfo vs.… Russ Housley
- Re: [smime] PKCS#7 v1.5 vs. CMS / ContentInfo vs.… Martin Rex
- Re: [smime] PKCS#7 v1.5 vs. CMS / ContentInfo vs.… Jim Schaad