Re: Possible ambiguities in encoding of signatures, encrypted keys
pgut001@cs.aucKland.ac.nz (Peter Gutmann) Mon, 12 April 1999 13:01 UTC
Received: from mail.proper.com (mail.proper.com [206.86.127.224]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id JAA26155 for <smime-archive@odin.ietf.org>; Mon, 12 Apr 1999 09:01:55 -0400 (EDT)
Received: (from majordomo@localhost) by mail.proper.com (8.8.8/8.8.5) id FAA15814 for ietf-smime-bks; Mon, 12 Apr 1999 05:11:28 -0700 (PDT)
Received: from mail.student.auckland.ac.nz (mail.student.auckland.ac.nz [130.216.35.101]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id FAA15809; Mon, 12 Apr 1999 05:11:25 -0700 (PDT)
Received: from cs26.cs.auckland.ac.nz (pgut001@cs26.cs.auckland.ac.nz [130.216.36.9]) by mail.student.auckland.ac.nz (8.8.6/8.8.6/cs-master) with SMTP id AAA21458; Tue, 13 Apr 1999 00:11:34 +1200 (NZST) (sender pgut001@cs.auckland.ac.nz)
Received: by cs26.cs.auckland.ac.nz (relaymail v0.9) id <92391909404745>; Tue, 13 Apr 1999 00:11:34 (NZST)
From: pgut001@cs.aucKland.ac.nz
To: ietf-pkix@imc.org, ietf-smime@imc.org
Subject: Re: Possible ambiguities in encoding of signatures, encrypted keys
Reply-To: pgut001@cs.aucKland.ac.nz
X-Charge-To: pgut001
X-Authenticated: relaymail v0.9 on cs26.cs.auckland.ac.nz
Date: Tue, 13 Apr 1999 00:11:34 -0000
Message-ID: <92391909404745@cs26.cs.auckland.ac.nz>
Sender: owner-ietf-smime@imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-smime/mail-archive/>
List-Unsubscribe: <mailto:ietf-smime-request@imc.org?body=unsubscribe>
William Whyte <wwhyte@baltimore.ie> writes: >>Currently both RFC 2459 and CMS refer to RFC 2313/2437 for the encoding of RSA >>signatures/encrypted data (RFC 2459, 7.2.1; CMS, 12.3.2.1 and 12.2.2 - what I'm >>about to describe applies to other algorithms as well, but I'll stick with RSA >>to keep it simple). These RFC's make the assumption that the encoded value >>will be of the same length as the modulus, zero-padding the value if required >>(RFC 2437, 7.2.1 and 8.1.1), however when this padding is used the encoded >>value doesn't follow the DER any more. >I'm not sure this is right. The signature is an octet string or a bit string, >not an integer, and it's perfectly legal to have an OCTET STRING or BIT STRING >with leading null bytes. Ah, of course! This only leaves the signatures which have internal structure (eg DSA, a SEQUENCE containing two INTEGER's), and they have their own rules which don't clash with RFC 2459/CMS. (Didn't PKIX at one point include a requirement for DH values, encoded as bit strings, to be shifted up so the MSB was the first nonzero bit in the string, thankfully this vanished soon after it appeared because it would've been a right pain to implement) Is anyone aware of any implementations which break if the signature/encrypted data value isn't padded out as required? You'd probably have to go out of your way to write code which does this, I'm wondering whether any code does actually complain if the data isn't exactly the right size. The reason I'm asking is that I've always encoded things in the minimum number of bytes (as if it was a DER INTEGER) rather than padding with zeroes which so far hasn't caused any problems. Peter.
- Possible ambiguities in encoding of signatures, e… Peter Gutmann
- RE: Possible ambiguities in encoding of signature… William Whyte
- Re: Possible ambiguities in encoding of signature… Peter Gutmann