IETF Logo Mail Archive

Re: [lamps] draft-ietf-lamps-samples: PKCS12 expertise needed (including objects for comparison)

Ryan Sleevi <ryan-ietf@sleevi.com> Sun, 01 August 2021 01:14 UTC

Return-Path: <ryan.sleevi@gmail.com>
X-Original-To: spasm@ietfa.amsl.com
Delivered-To: spasm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1EB7D3A23F0 for <spasm@ietfa.amsl.com>; Sat, 31 Jul 2021 18:14:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.644
X-Spam-Level:
X-Spam-Status: No, score=-1.644 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.249, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id W5YOTs9OeS5z for <spasm@ietfa.amsl.com>; Sat, 31 Jul 2021 18:14:48 -0700 (PDT)
Received: from mail-pj1-f44.google.com (mail-pj1-f44.google.com [209.85.216.44]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 29E273A23EE for <spasm@ietf.org>; Sat, 31 Jul 2021 18:14:48 -0700 (PDT)
Received: by mail-pj1-f44.google.com with SMTP id s22-20020a17090a1c16b0290177caeba067so604563pjs.0 for <spasm@ietf.org>; Sat, 31 Jul 2021 18:14:48 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=rgZbN239sEw4iPfLBAiAZJnew4MVLvIJJ8eXZMUKJJM=; b=ZIbMlvYWEzyp1Qe98Hobw+goqSy3jO9Zg6EdvureMDcuUjcuBYE/xL3kmxL+gFRzvR rLAnA/ZjpOMrUDKSMNgUBd7vWXcLB20yjyv/AjghpUy+kM5clWF9Z0QNSZsbMPTkah6v BWJfsqkiGK8e2TOUPsAaLH0PEUfHerNGki3bB205TkB7NUzQeBA9PmpDrlXlBIBOlOhL 2eG+JG9369FSInke1Noj6OpoBQFMwfIBFlVi/5LOq8ZpGqA0Z3q0Pr/7kIvmobFoqKLH bbPwwpXrqZ9strPFkvxfPtjlM/rlqy3IOANT91NIgl9q75rkasHZzvht3+FnxK9B5hQR OVsQ==
X-Gm-Message-State: AOAM5302gkKb6qU44K1aTjUPkbQkv6TpZWCpKLE3Hdilkdr/Ol3ki7aq eGq7pGtfjQE4940g5QiKKismz/8Noss=
X-Google-Smtp-Source: ABdhPJyKxcxa6Gq8/px7TAc2mRhWnKIafk2CfTs/8E/B+5kkHxUS3XDSeZgugDrQNfGYAnCjc+FcRw==
X-Received: by 2002:a05:6a00:98b:b029:32a:d9a5:2540 with SMTP id u11-20020a056a00098bb029032ad9a52540mr9687268pfg.66.1627780487275; Sat, 31 Jul 2021 18:14:47 -0700 (PDT)
Received: from mail-pj1-f41.google.com (mail-pj1-f41.google.com. [209.85.216.41]) by smtp.gmail.com with ESMTPSA id n33sm7618760pgm.55.2021.07.31.18.14.46 for <spasm@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sat, 31 Jul 2021 18:14:46 -0700 (PDT)
Received: by mail-pj1-f41.google.com with SMTP id dw2-20020a17090b0942b0290177cb475142so513383pjb.2 for <spasm@ietf.org>; Sat, 31 Jul 2021 18:14:46 -0700 (PDT)
X-Received: by 2002:a17:902:d112:b029:12c:2004:981d with SMTP id w18-20020a170902d112b029012c2004981dmr8678843plw.29.1627780486768; Sat, 31 Jul 2021 18:14:46 -0700 (PDT)
MIME-Version: 1.0
References: <87czr0ww0d.fsf@fifthhorseman.net> <FF939B28-528B-47F9-9C0C-6585D1B02FBE@vigilsec.com> <87mtq3ukk0.fsf@fifthhorseman.net>
In-Reply-To: <87mtq3ukk0.fsf@fifthhorseman.net>
From: Ryan Sleevi <ryan-ietf@sleevi.com>
Date: Sat, 31 Jul 2021 21:14:36 -0400
X-Gmail-Original-Message-ID: <CAErg=HHQMZ1jk+bVxA=MzVvW+9ucie7bu-N6O8Asnp0V8Rf9Bg@mail.gmail.com>
Message-ID: <CAErg=HHQMZ1jk+bVxA=MzVvW+9ucie7bu-N6O8Asnp0V8Rf9Bg@mail.gmail.com>
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Cc: LAMPS WG <spasm@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000afaec605c8752d69"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spasm/PfnRDJrBdWYvI5ztWPsToaIPD-Q>
Subject: Re: [lamps] draft-ietf-lamps-samples: PKCS12 expertise needed (including objects for comparison)
X-BeenThere: spasm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is a venue for discussion of doing Some Pkix And SMime \(spasm\) work." <spasm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spasm>, <mailto:spasm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spasm/>
List-Post: <mailto:spasm@ietf.org>
List-Help: <mailto:spasm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spasm>, <mailto:spasm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 01 Aug 2021 01:14:53 -0000

On Sat, Jul 31, 2021 at 8:27 PM Daniel Kahn Gillmor <dkg@fifthhorseman.net>
wrote:

> do folks here think it's a bug that Keychain Access isn't capable of
> reading bob.p12, but is capable of reading bob.laundered.p12?  or is
> bob.p12 actually malformed in some way?


It’s PKCS#12. There is very little interoperability on the market in
general, as it is a hell format that is functionally impossible to
implement securely, and so no vendor particularly wants to touch.

I realize that sounds like my usual hyperbole, but it truly is a pernicious
format. In Mozilla NSS, it uses what is known as the “legacy” decoder,
because of the need to support BER. The “legacy” decoder is so named
because it was, and is, a security tirefire, and the whole system was
replaced everywhere in NSS - except the CMS and P12 systems, because unlike
other places, Mozilla didn’t feel they could restrict to DER only and
remain compatible.

For Apple, there’s actually a shared history: the first CMS decoder on
macOS systems began as a port of the NSS libraries. This is why, for
example, it is speculated that the FBI was able to gain access to the San
Bernardino shooters’ phones: by exploiting a bug in the legacy decoder from
NSS that had, incidentally, been ported to macOS/iOS [1].

When folks say PKCS#12 is not a place of honor [2] [3] [4], they truly mean
nothing valued is there.

Again, I realize this sounds hyperbolic, but I also do it to highlight that
there’s very little interoperability in the deployed software, in part
because it’s impossible to maintain. Since that bug, I believe Apple has
rewritten their CMS and PKCS#12 parsers twice; although rewritten may be a
bit of a stretch, as it’s more like there are three different parsers
depending on which product you’re using.

I confess i don't understand the definite length encoding vs. indefinite
> encoding question.  are these both acceptable PKCS#12 structures?


Indefinite length means BER: the format from which a thousand security bugs
bloom, because the message size is generally not known before hand, and so
you constantly end up running past the end of the message, onto the stack,
and making everyone sad along the way. Definite length may be BER or may be
DER: it means you actually send the length before the data.

The implementation details I mentioned above play into this: you should try
to always use DER, for BER is the path of doom. That said, implementations
that have an ancestral heritage to NSS, with its unmaintained (and
insecure) BER parser (not to be confused with its DER parser for certs and
things), will still prefer to encode in BER. I realize saying “use DER”
doesn’t get you closer to “interoperable PKCS#12 file”, your end goal, but
that’s mostly because many folks gave up on “interoperable PKCS#12” ages
ago, and have accepted “if it works, it works, if it doesn’t, try doing
something different.”

>
[1]
https://twitter.com/zhuowei/status/1382475494084476928
[2]
https://en.wikipedia.org/wiki/Long-time_nuclear_waste_warning_messages#Message
[3]
https://www.cs.auckland.ac.nz/~pgut001/pubs/pfx.html
[4]
https://unmitigatedrisk.com/?p=543

>

v2.23.0 | Report a Bug | By Email