Re: [TLS] BoringSSL's TLS test suite
Henrick Hellström <henrick@streamsec.se> Sun, 25 September 2016 23:42 UTC
Return-Path: <henrick@streamsec.se>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A7FA612B047 for <tls@ietfa.amsl.com>; Sun, 25 Sep 2016 16:42:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zSDFDGjWQOMi for <tls@ietfa.amsl.com>; Sun, 25 Sep 2016 16:42:44 -0700 (PDT)
Received: from vsp2.ballou.se (vsp2.ballou.se [91.189.40.83]) by ietfa.amsl.com (Postfix) with SMTP id 18D3512B040 for <tls@ietf.org>; Sun, 25 Sep 2016 16:42:43 -0700 (PDT)
X-Halon-Scanned: 7f4a955dd6f4c149d51110a345668da22aa82d04
Received: from nmail1.ballou.se (unknown [10.0.0.116]) by vsp2.ballou.se (Halon Mail Gateway) with ESMTP; Mon, 26 Sep 2016 01:42:40 +0200 (CEST)
Received: from [192.168.0.190] (c-999671d5.06-134-73746f39.cust.bredbandsbolaget.se [213.113.150.153]) (Authenticated sender: henrick@streamsec.se) by nmail1.ballou.se (Postfix) with ESMTPSA id 2A7DAC944A; Mon, 26 Sep 2016 01:42:40 +0200 (CEST)
References: <CAF8qwaBQkVy+wcK1-NFctBepV7TW93YmmPnxS2WoJ6F6=v-aEg@mail.gmail.com> <c70c6db3-5d1c-d2db-1e37-f8849166786e@streamsec.se> <CAF8qwaAQYwW9s0E_V-TqHhTqL9sBhobzsGUch5TDQynK2VNfEw@mail.gmail.com> <227dcca5-6549-3b71-1ceb-23686df822bb@streamsec.se> <008801d21784$bd905380$38b0fa80$@augustcellars.com>
To: Jim Schaad <ietf@augustcellars.com>, 'David Benjamin' <davidben@google.com>, tls@ietf.org
From: Henrick Hellström <henrick@streamsec.se>
Message-ID: <3e2f65f0-476c-b7bb-9ca8-dd7466be8ef0@streamsec.se>
Date: Mon, 26 Sep 2016 01:41:50 +0200
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.3.0
MIME-Version: 1.0
In-Reply-To: <008801d21784$bd905380$38b0fa80$@augustcellars.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/PVNAmS6Brot2IRkaBNAsXkNkPc0>
Subject: Re: [TLS] BoringSSL's TLS test suite
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
Reply-To: henrick@streamsec.se
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 25 Sep 2016 23:42:47 -0000
On 2016-09-26 01:29, Jim Schaad wrote:
> The ASN.1 module in RFC 5280 does not say anything about if the field is
> optional for any specific algorithm. The ASN.1 for algorithm identifier is
>
> AlgorithmIdentifier ::= SEQUENCE {
> algorithm OBJECT IDENTIFIER,
> parameters ANY DEFINED BY algorithm OPTIONAL
>
> This very explicitly says that the value (and hence presence) of the
> parameters fields is strictly defined by the algorithm identifier. The
> algorithm identifiers for RSA with the SHA2 algorithms explicitly say they
> are required.
>
>
> RFC 5912 shows that this is required with the way it defines the same
> information
>
> sa-sha256WithRSAEncryption SIGNATURE-ALGORITHM ::= {
> IDENTIFIER sha256WithRSAEncryption
> PARAMS TYPE NULL ARE required
> HASHES { mda-sha256 }
> PUBLIC-KEYS { pk-rsa }
> SMIME-CAPS { IDENTIFIED BY sha256WithRSAEncryption }
> }
>
> You can see that the parameters are required and not optional.
Thanks, you are absolutely correct about this, and this crucial for
getting PKCS #1 v1.5 signatures right (since the algorithm identifier
encoding is part of the data to be signed), but at the same time, NULL
should be absent from the RSA public key:
pk-rsa PUBLIC-KEY ::= {
IDENTIFIER rsaEncryption
KEY RSAPublicKey
PARAMS TYPE NULL ARE absent
-- Private key format not in this module --
CERT-KEY-USAGE {digitalSignature, nonRepudiation,
keyEncipherment, dataEncipherment, keyCertSign, cRLSign}
}
and this is definitely not common practice.
- [TLS] BoringSSL's TLS test suite David Benjamin
- Re: [TLS] BoringSSL's TLS test suite Henrick Hellström
- Re: [TLS] BoringSSL's TLS test suite Adam Langley
- Re: [TLS] BoringSSL's TLS test suite David Benjamin
- Re: [TLS] BoringSSL's TLS test suite Henrick Hellström
- Re: [TLS] BoringSSL's TLS test suite Henrick Hellström
- Re: [TLS] BoringSSL's TLS test suite Adam Langley
- Re: [TLS] BoringSSL's TLS test suite David Benjamin
- Re: [TLS] BoringSSL's TLS test suite Jim Schaad
- Re: [TLS] BoringSSL's TLS test suite Henrick Hellström
- Re: [TLS] BoringSSL's TLS test suite Henrick Hellström
- Re: [TLS] BoringSSL's TLS test suite Jim Schaad
- Re: [TLS] BoringSSL's TLS test suite Henrick Hellström
- Re: [TLS] BoringSSL's TLS test suite Jim Schaad
- Re: [TLS] BoringSSL's TLS test suite Henrick Hellström
- Re: [TLS] BoringSSL's TLS test suite Jim Schaad