[TLS] TLS 1.2 - is it allowed to strip the leading zero byte(s) in RSA signature in ServerKeyExchange?
M K Saravanan <mksarav@gmail.com> Wed, 12 February 2020 06:27 UTC
Return-Path: <mksarav@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 01755120879 for <tls@ietfa.amsl.com>; Tue, 11 Feb 2020 22:27:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3xBUZWPhD1Qw for <tls@ietfa.amsl.com>; Tue, 11 Feb 2020 22:27:01 -0800 (PST)
Received: from mail-vs1-xe2b.google.com (mail-vs1-xe2b.google.com [IPv6:2607:f8b0:4864:20::e2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0298F120052 for <tls@ietf.org>; Tue, 11 Feb 2020 22:27:01 -0800 (PST)
Received: by mail-vs1-xe2b.google.com with SMTP id k188so448804vsc.8 for <tls@ietf.org>; Tue, 11 Feb 2020 22:27:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=ChTr0xe2Jtyq3aPxkk4SEVkQd+3cPTHvByFDZ+aSntk=; b=cv29QoO51rCSt9GgRakk+zyJJQjxmYvHo5Rur0wxM/0TAJ/By09xCnwHypRE8jbd6b lg6x1kFfdbsSiMgTwq8lgmnea3WmN27kn8Zeldkx3dI+8b5aRepZgkwICPFODGoapHqY wg3gzrliqDGLpPXZpwTM38DmTUNQjDFWPsRyamX8Yzd2LDbsyjIImtNGeaIs+WZKxGwD /URUTRuowm318kBkZHOEHsKWq1NvVJBJMu0RMKJzlhSMnyCAcyNLe7uVw8u/tHZgnqNY wS2WqQo/3Z1Le4TuQpVatsk6IJsNLKmRrk2QAoDYvv4iDgv3hSm1ReXxAthorBFNCpo+ XvEA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=ChTr0xe2Jtyq3aPxkk4SEVkQd+3cPTHvByFDZ+aSntk=; b=YdsXyKO4P29u6ciP7R28CRyQRcB+0WdR2a0OEbnbt7R7LUQcg+OoJJBIhR6L1ik96g w1p0dfIMxirkdOVvPTdJuOQhneGj8LDsb4qcubs2Y4njKiAkyAIHEgP1NZYpTuIT8z6q mEkZG/fJSrjKgMBBmtk7T9qh4119+zBhHdRiUzs9aFiISRnFPQDAfldh9lpbtztPZPcy oPfSagA89K/d+MI1XFu6XvQgD443KCUw9D1qUi4n0jQFcCdw18za8vmBXO4PEI6pLQ/W pOAkS6DVfZNdCIohpD2vVM1FnyoiqeZM8UDV2IvIFUDco3oHYV17FQn2K+BZGZYs48We 80Gw==
X-Gm-Message-State: APjAAAULk5rakokN5y010VEV3qN6XX2bQtYQCQ1THei222k0CG0rz74m 6+UetogluqPyRPZVWY/zgADbljgVRm42Zr1RLf6qVdM4jgQ=
X-Google-Smtp-Source: APXvYqwM3PK31BxASRGU/95MLQ70Pk+YxIx6up2juRwBAe5I/7bIXmT7OaSop4jzN3AGeLIklLRSMeP10dxViRSDGM4=
X-Received: by 2002:a67:ecd5:: with SMTP id i21mr11328172vsp.166.1581488818835; Tue, 11 Feb 2020 22:26:58 -0800 (PST)
MIME-Version: 1.0
From: M K Saravanan <mksarav@gmail.com>
Date: Wed, 12 Feb 2020 14:26:47 +0800
Message-ID: <CAG5P2e_yELKn_ypt2cVAHtoBeNVrpKLqLwuZprq0bm=h4odrHA@mail.gmail.com>
To: "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000043572e059e5b0f8f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/_tyt1eZ9URUCiQo_kVzK9Odd6UQ>
Subject: [TLS] TLS 1.2 - is it allowed to strip the leading zero byte(s) in RSA signature in ServerKeyExchange?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Feb 2020 06:27:05 -0000
Hi,
I recently encountered the below issue:
TLS1.2
ECDHE_RSA
server certificate: 2048-bit RSA (= 256 bytes)
ServerKeyExchange hash/sign algorithm: rsa_pkcs1_sha1
The server was sending the ServerKeyExchange with 255 byte as length for
the RSA signature (i.e. the leading zero was stripped) instead of 256 like
this:
====================
Handshake Protocol: Server Key Exchange
Handshake Type: Server Key Exchange (12)
Length: 328
EC Diffie-Hellman Server Params
Curve Type: named_curve (0x03)
Named Curve: secp256r1 (0x0017)
Pubkey Length: 65
Pubkey: 042206562efea8bd47bf014a9e650c42f27078643c553671…
Signature Algorithm: rsa_pkcs1_sha1 (0x0201)
Signature Length: 255
Signature: d1bf915eca2ec0bcdda6f90a398fe5378d2028a22574d213…
====================
Is this allowed? i.e. stripping the leading zero of the RSA signature and
marking the length as 255? It is not clear to me from the RFC5246 whether
it is allowed or not.
(client was failing to verify the signature due to this).
with regards,
Saravanan
- [TLS] TLS 1.2 - is it allowed to strip the leadin… M K Saravanan
- Re: [TLS] TLS 1.2 - is it allowed to strip the le… David Benjamin
- Re: [TLS] TLS 1.2 - is it allowed to strip the le… M K Saravanan
- Re: [TLS] TLS 1.2 - is it allowed to strip the le… Peter Gutmann
- Re: [TLS] TLS 1.2 - is it allowed to strip the le… David Benjamin
- Re: [TLS] TLS 1.2 - is it allowed to strip the le… Peter Gutmann