Re: [TLS] Possible TLS 1.3 erratum

Hubert Kario <> Tue, 20 July 2021 19:37 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 782733A2F7C for <>; Tue, 20 Jul 2021 12:37:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.25
X-Spam-Status: No, score=-3.25 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.452, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 15pu2sYkOnjn for <>; Tue, 20 Jul 2021 12:37:38 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 0A1DA3A2F80 for <>; Tue, 20 Jul 2021 12:37:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=mimecast20190719; t=1626809856; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=oq0NIR8UTOjhU3FtK0meljIqAnkwmMK1ucjXcK/K5rQ=; b=EAXdsSySJbCXHnwAzJPBQird/RBIKJoMRgx4GQJVgTyKb6SCqox0ViWLsWpqTiAKM154Ym +/j/XUYT1y4K/cvCWMsvJQS8vLToyiPE+OFmDBPP5D6k1jYiCNxsDeGhdHqepOxTEjAlOq pXMuWf+AqXiW8JZ71IGiW2ar0Ij0Pd8=
Received: from ( []) (Using TLS) by with ESMTP id us-mta-295-n0IPszv8Pt6DX4sBhMouCw-1; Tue, 20 Jul 2021 15:37:35 -0400
X-MC-Unique: n0IPszv8Pt6DX4sBhMouCw-1
Received: by with SMTP id j141-20020a1c23930000b0290212502cb19aso116415wmj.0 for <>; Tue, 20 Jul 2021 12:37:35 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:mime-version:message-id :in-reply-to:references:organization:user-agent :content-transfer-encoding; bh=oGsgQtmtaik01MEHXx/A47cV51KRtuNzR5/DCU1ndkU=; b=Je4HeXa8muQXo8BVLq4tnjxoo0lA/Qc4oe37v9vtdjl3tNitqg4B4diVEDt7I01UP7 SU7awrr7LoHDlkkhLOo31oKKuPoiKUz3AZPRm9/VctO7Iqxls+beYMU9eM9i4iWRHEx5 7hlfNvS99N6yQebm7Hvv6leQWwfnwqbiKDycIelTp0BEh8MZvJyBJxLz3NZseZWGZapQ KBc2d0H566gt9HNzmBpNaVYdbJoD7fVyXWxVA6x/9OJqFquP4ZockwO8OVIrEth73yVT HV39jTwAtuBjHqP+mkt7wxgOSOiv7vIklrGIJGcSUgcSLVvlHTQO0NwiYHtcbA4/7W6C xj0Q==
X-Gm-Message-State: AOAM531fPQchj8bOMutW64NUWMuFe27xYitrCkneaocuLEeYfSnGhPNR 6rRRb3fDtZMlew/IoISLRnITNnWJYfBJ4I71BWiDxbG+x9KnPQRSmz6ktcNh/ye8oQGpx5VcT+G IOaI=
X-Received: by 2002:a5d:4086:: with SMTP id o6mr37111864wrp.379.1626809854100; Tue, 20 Jul 2021 12:37:34 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJxf9W2pD1urQ/+fLhlMd/tPzjbeHitlNe63LCTC5E9I4oikoNAGB+ajiGoPQkhDP1DrnlOBmg==
X-Received: by 2002:a5d:4086:: with SMTP id o6mr37111853wrp.379.1626809853951; Tue, 20 Jul 2021 12:37:33 -0700 (PDT)
Received: from localhost ( []) by with ESMTPSA id y6sm20221610wma.48.2021. (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 20 Jul 2021 12:37:33 -0700 (PDT)
From: Hubert Kario <>
To: Peter Gutmann <>
Cc: Ilari Liusvaara <>,
Date: Tue, 20 Jul 2021 21:37:32 +0200
MIME-Version: 1.0
Message-ID: <>
In-Reply-To: <>
References: <>
Organization: Red Hat
User-Agent: Trojita/0.7-git; Qt/5.15.2; xcb; Linux; Fedora release 33 (Thirty Three)
Authentication-Results:; auth=pass smtp.auth=CUSA124A263
X-Mimecast-Spam-Score: 0
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: quoted-printable
Archived-At: <>
Subject: Re: [TLS] Possible TLS 1.3 erratum
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 20 Jul 2021 19:37:41 -0000

On Tuesday, 20 July 2021 16:18:38 CEST, Peter Gutmann wrote:
> Hubert Kario <> writes:
>> I suggest you go back to the RFCs and check exactly what is 
>> needed for proper
>> handling of RSA-PSS Subject Public Key type in X.509. 
>> Specifically when the
>> "parameters" field is present.
> Looking at the code I'm using, it's four lines of extra code for PSS when
> reading sigs and four lines extra when writing (OK, technically seven if you
> include the "if" statement and curly braces lines).

And that code will reject a SHA-512 signature if it was made by a 
with hash algorithm of SHA-256?
What about MGF? Salt length?

Will it reject PKCS#1 v1.5 signatures made with such a key?

It's one thing to be able to read a certificate with those parameters,
it's completely different to actually implement the standard.
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Red Hat Czech s.r.o., Purky┼łova 99/71, 612 45, Brno, Czech Republic