Re: [smime] PKCS#7 v1.5 vs. CMS / ContentInfo vs. EncapsulatedContentInfo based on version

Jim Schaad <ietf@augustcellars.com> Sat, 04 November 2017 05:13 UTC

Return-Path: <ietf@augustcellars.com>
X-Original-To: smime@ietfa.amsl.com
Delivered-To: smime@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B8A7813FB42 for <smime@ietfa.amsl.com>; Fri, 3 Nov 2017 22:13:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=augustcellars.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dotYwQUoz5YC for <smime@ietfa.amsl.com>; Fri, 3 Nov 2017 22:13:20 -0700 (PDT)
Received: from mail4.augustcellars.com (augustcellars.com [50.45.239.150]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CD77913FB37 for <smime@ietf.org>; Fri, 3 Nov 2017 22:13:20 -0700 (PDT)
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Content-Language: en-us
DKIM-Signature: v=1; a=rsa-sha256; d=augustcellars.com; s=winery; c=simple/simple; t=1509772397; h=from:subject:to:date:message-id; bh=dov93CLIldTAnt99RnNzEUBBb0tNttxwhrUNXEcTSR8=; b=fvpQXpU4afl1xtPXv5HYD/Ahl++vKtAfgVvbXcX6InNtzgA2W+3p/Z9Tabm3VmN4iUFsPw+VdLZ 57ZGYJ736IXeWUXiHXdAJh1z2+fsNJVXQ/OLfpMPPz9xyA63Yar2xc8Q+9ZeUA3wxO3mELACNROSA PmjISVTgD57wQ9HFBHHSqwaGU7TqZDKj9omOF2KWR6PlT0hP9sOitEWf7xlSQ4DXFlyJ0THoMYpZX MnmP+beEtsocrrOUl/WOHFUGzxmkHtWZvmjTnk9LpQX2UXqZeQPWMC7euVAUOoVz8jX9dLOxaEOUd eSnzqzd3EN9kxJy2+m1M4uK33UVWo0AfTOuw==
Received: from mail2.augustcellars.com (192.168.1.201) by mail4.augustcellars.com (192.168.1.153) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Fri, 3 Nov 2017 22:13:16 -0700
Received: from Hebrews (73.180.8.170) by mail2.augustcellars.com (192.168.0.56) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Fri, 3 Nov 2017 22:12:14 -0700
From: Jim Schaad <ietf@augustcellars.com>
To: <mrex@sap.com>
CC: <smime@ietf.org>
References: <20171103160451.AD0DB404B@ld9781.wdf.sap.corp> <001101d354d1$1cfdced0$56f96c70$@augustcellars.com> <20171103214327.2D092404B@ld9781.wdf.sap.corp>
In-Reply-To: <20171103214327.2D092404B@ld9781.wdf.sap.corp>
Date: Fri, 3 Nov 2017 22:13:11 -0700
Message-ID: <002a01d3552b$9e1ea700$da5bf500$@augustcellars.com>
MIME-Version: 1.0
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQKF3Wi9cvbMmmnh/4p3vrg5y3Oj2QJVgjNfAdAjTyqhfW3NoA==
X-Originating-IP: [73.180.8.170]
Archived-At: <https://mailarchive.ietf.org/arch/msg/smime/eMblDguz5FUfcqpHOXP-5dXyk9E>
Subject: Re: [smime] PKCS#7 v1.5 vs. CMS / ContentInfo vs. EncapsulatedContentInfo based on version
X-BeenThere: smime@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: SMIME Working Group <smime.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/smime>, <mailto:smime-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/smime/>
List-Post: <mailto:smime@ietf.org>
List-Help: <mailto:smime-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/smime>, <mailto:smime-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 04 Nov 2017 05:13:23 -0000


> -----Original Message-----
> From: Martin Rex [mailto:mrex@sap.com]
> Sent: Friday, November 3, 2017 2:43 PM
> To: Jim Schaad <ietf@augustcellars.com>;
> Cc: mrex@sap.com; smime@ietf.org
> Subject: Re: [smime] PKCS#7 v1.5 vs. CMS / ContentInfo vs.
> EncapsulatedContentInfo based on version
> 
> Hi Jim,
> 
> Thanks for the reply, but this leaves me even more confused now.
> 
> Admittedly my personal implementors experience is tiny.  I once patched
> support for processing rfc3161 TimeStamps into an existing PKCS#7 v1.5
> implementation, and I needed a few tweaks for the ASN.1 encoder & decoder
> -- but rfc3161 uses id-ct-TSTInfo content type and version 3 rather than
id-data
> and version 1, so I needed tweaks for processing of
EncapsulatedContentInfo.
> 
> 
> Jim Schaad <ietf@augustcellars.com>; wrote:
> >
> > To begin with, this is only a problem if you are looking at wrapping
> > contents other than id-data, for id-data there is no difference.  In
> > both cases there is an OCTET wrapper.
> 
> This statement looks like a self-contradiction.  Either there is _no_
difference
> between PKCS#7 v1.5 SignedData for id-data, then there is no wrapper.  Or
> there is a difference, and EncapsulatedContentInfo is used.

There is zero difference in the bytes outputted by the encoder.  

For PKCS#7 v1.5 - id-data is defined to be an OCTET STRING - thus the
emitted content is an OCTET wrapped data string
For CMS - id-data is defined to not have an ASN.1 type - instead the data is
directly wrapped by the OCTET wrapper that present in all SignedData objects

> 
> >
> > For things which are not id-data, there is going to be a difference
> > between the two encodings in that for one an octet wrapper is there
> > and for the other case it is not.  I would say that you need to look
> > at the content type and the type of the field and then make a decision
about
> what you are doing.
> 
> Do you mean that while the PDU encoding for SignedData with id-data
> ContentInfo is the same for PKCS#7 v1.5 and CMS, the actual signature (or
> more precisely the hash over that id-data) is computed _differently_ for
> PKCS#7 v1.5 and CMS (covering the 0x04 plus ASN.1 length field for CMS,
and
> omitting this for PKCS#7 v1.5) ?

For PKCS #7 v1.5 - the outer ASN.1 length and tag are not included in the
signature computation.  This means that the exact same set of bytes are
going to be hashed for an id-data object.

For a non-id-data object, the bytes that would be hashed ARE different.  For
PKCS #7 v1.5 the tag and length are not included in the signature
computation.  For CMS the OCTET wrapper is not included, but all of the
contents are included.  This means that for CMS the tag and length of the
data are included in the hash computation. 

Does this answer your questions?

> 
> I wouldn't like a heuristic on decoding because it results in needlessly
complex
> code and seems to have an ambituity for certain id-data that
conicidentally
> matches the beginning of an ASN.1 DER OctetString.
> 
> But requiring a heuristic on SignedData would be magnitudes worse, because
> of significantly higher CPU cycles impact for computing and verifying two
> different hashes.
> 
> 
> > I will note that there is a security problem with the PKCS#7 encoding
> > where the content and length bytes are not correctly protected.  This
> > is one of the reasons that CMS added the OCTET wrapper in all cases
> > rather than just in the case of id-data.
> 
> But "in all cases rather than just in the case of id-data" is a
contradiction to the
> above (with respect to the encoding).  Or is this comment _not_ about the
> encoding, but rather about the data which gets signed (hashed) ?
> 
> 
> >
> > There was never any intent that a version number of one would indicate
> > that this was PKCS#7 rather than CMS.
> 
> That sounds wrong to me.  At least my copy of PKCS#7 v1.5
> (rfc2315) is _explicit_ that this version indicates PDU/protocol, and
> version==1 therefore implies PKCS#7 (rfc2315) syntax/encoding
> **AND** processing rules (semantics).
> 
> https://tools.ietf.org/html/rfc2315#section-9.1
> 
>    The fields of type SignedData have the following meanings:
> 
>         o    version is the syntax version number. It shall be
>              1 for this version of the document.
> 
> 
> The PKCS#7 v1.5 PDU was *ALWAYS* supposed to be self-describing, and later
> revisions of it to identify different syntax as well as different
processing rules by
> using a different version in the PDU.
> 
> 
> For the particular (governmentally mandated) data exchange scenario in
> Germany, they're currently using PKCS#7 v1.5 with RSA PKCS#1 v1.5, and
they
> want to transition to using RSA-PSS (signatures on certs and PKCS#7/CMS
> SignedData) and RSA-OAEP (EvelopedData), with EndEntity certs that carry
> rsaEncryption keys (so that the keys can be used for both, signature and
> encryption).
> 
> 
> -Martin