Re: [TLS] BoringSSL's TLS test suite
Jim Schaad <ietf@augustcellars.com> Mon, 26 September 2016 00:35 UTC
Return-Path: <ietf@augustcellars.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AE38712B044 for <tls@ietfa.amsl.com>; Sun, 25 Sep 2016 17:35:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.217
X-Spam-Level:
X-Spam-Status: No, score=-4.217 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-2.316, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WyBqhMXjfh0F for <tls@ietfa.amsl.com>; Sun, 25 Sep 2016 17:35:10 -0700 (PDT)
Received: from mail2.augustcellars.com (augustcellars.com [50.45.239.150]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6BDFD12B040 for <tls@ietf.org>; Sun, 25 Sep 2016 17:35:10 -0700 (PDT)
Received: from hebrews (192.168.1.152) by mail2.augustcellars.com (192.168.1.201) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Sun, 25 Sep 2016 17:48:03 -0700
From: Jim Schaad <ietf@augustcellars.com>
To: henrick@streamsec.se, 'David Benjamin' <davidben@google.com>, tls@ietf.org
References: <CAF8qwaBQkVy+wcK1-NFctBepV7TW93YmmPnxS2WoJ6F6=v-aEg@mail.gmail.com> <c70c6db3-5d1c-d2db-1e37-f8849166786e@streamsec.se> <CAF8qwaAQYwW9s0E_V-TqHhTqL9sBhobzsGUch5TDQynK2VNfEw@mail.gmail.com> <227dcca5-6549-3b71-1ceb-23686df822bb@streamsec.se> <008801d21784$bd905380$38b0fa80$@augustcellars.com> <3e2f65f0-476c-b7bb-9ca8-dd7466be8ef0@streamsec.se>
In-Reply-To: <3e2f65f0-476c-b7bb-9ca8-dd7466be8ef0@streamsec.se>
Date: Sun, 25 Sep 2016 17:34:36 -0700
Message-ID: <009501d2178d$c3bb3820$4b31a860$@augustcellars.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 16.0
Content-Language: en-us
Thread-Index: AQForOp3QPsKEoAPeD+Qw7kYxpy4lgJNgXjzAbgH+SACI3xQyQLM0pkTAlOn0oOhA21QUA==
X-Originating-IP: [192.168.1.152]
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/X5yt7NVBi_Q27Lgz4uTMtkoCJtE>
Subject: Re: [TLS] BoringSSL's TLS test suite
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Sep 2016 00:35:13 -0000
> -----Original Message----- > From: Henrick Hellström [mailto:henrick@streamsec.se] > Sent: Sunday, September 25, 2016 4:42 PM > To: Jim Schaad <ietf@augustcellars.com>; 'David Benjamin' > <davidben@google.com>; tls@ietf.org > Subject: Re: [TLS] BoringSSL's TLS test suite > > On 2016-09-26 01:29, Jim Schaad wrote: > > The ASN.1 module in RFC 5280 does not say anything about if the field > > is optional for any specific algorithm. The ASN.1 for algorithm > > identifier is > > > > AlgorithmIdentifier ::= SEQUENCE { > > algorithm OBJECT IDENTIFIER, > > parameters ANY DEFINED BY algorithm OPTIONAL > > > > This very explicitly says that the value (and hence presence) of the > > parameters fields is strictly defined by the algorithm identifier. > > The algorithm identifiers for RSA with the SHA2 algorithms explicitly > > say they are required. > > > > > > RFC 5912 shows that this is required with the way it defines the same > > information > > > > sa-sha256WithRSAEncryption SIGNATURE-ALGORITHM ::= { > > IDENTIFIER sha256WithRSAEncryption > > PARAMS TYPE NULL ARE required > > HASHES { mda-sha256 } > > PUBLIC-KEYS { pk-rsa } > > SMIME-CAPS { IDENTIFIED BY sha256WithRSAEncryption } > > } > > > > You can see that the parameters are required and not optional. > > Thanks, you are absolutely correct about this, and this crucial for getting PKCS > #1 v1.5 signatures right (since the algorithm identifier encoding is part of the > data to be signed), but at the same time, NULL should be absent from the RSA > public key: > > pk-rsa PUBLIC-KEY ::= { > IDENTIFIER rsaEncryption > KEY RSAPublicKey > PARAMS TYPE NULL ARE absent > -- Private key format not in this module -- > CERT-KEY-USAGE {digitalSignature, nonRepudiation, > keyEncipherment, dataEncipherment, keyCertSign, cRLSign} > } > > and this is definitely not common practice. No, it appears that I messed this up. (: It should be required and not absent. The text in RFC3279 says The parameters field MUST have ASN.1 type NULL for this algorithm identifier. Unhappiness.
- [TLS] BoringSSL's TLS test suite David Benjamin
- Re: [TLS] BoringSSL's TLS test suite Henrick Hellström
- Re: [TLS] BoringSSL's TLS test suite Adam Langley
- Re: [TLS] BoringSSL's TLS test suite David Benjamin
- Re: [TLS] BoringSSL's TLS test suite Henrick Hellström
- Re: [TLS] BoringSSL's TLS test suite Henrick Hellström
- Re: [TLS] BoringSSL's TLS test suite Adam Langley
- Re: [TLS] BoringSSL's TLS test suite David Benjamin
- Re: [TLS] BoringSSL's TLS test suite Jim Schaad
- Re: [TLS] BoringSSL's TLS test suite Henrick Hellström
- Re: [TLS] BoringSSL's TLS test suite Henrick Hellström
- Re: [TLS] BoringSSL's TLS test suite Jim Schaad
- Re: [TLS] BoringSSL's TLS test suite Henrick Hellström
- Re: [TLS] BoringSSL's TLS test suite Jim Schaad
- Re: [TLS] BoringSSL's TLS test suite Henrick Hellström
- Re: [TLS] BoringSSL's TLS test suite Jim Schaad