Re: [TLS] TLS 1.2 - is it allowed to strip the leading zero byte(s) in RSA signature in ServerKeyExchange?

M K Saravanan <mksarav@gmail.com> Wed, 12 February 2020 07:14 UTC

Return-Path: <mksarav@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 83B5012088A for <tls@ietfa.amsl.com>; Tue, 11 Feb 2020 23:14:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IGgxa7jv6Xfx for <tls@ietfa.amsl.com>; Tue, 11 Feb 2020 23:14:06 -0800 (PST)
Received: from mail-ua1-x930.google.com (mail-ua1-x930.google.com [IPv6:2607:f8b0:4864:20::930]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6AF6E120889 for <tls@ietf.org>; Tue, 11 Feb 2020 23:14:06 -0800 (PST)
Received: by mail-ua1-x930.google.com with SMTP id h32so490004uah.4 for <tls@ietf.org>; Tue, 11 Feb 2020 23:14:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=pKbx5302u8+4HoV9O5E3l4X+IaudPToy2K2RFI6pATk=; b=imMiKTv2YWtMJsl9L3qIw/0E6U1eOznXHBMif1oTnGRmnZeXk4f04OAV7ekNlBT7Uf RKkX4G4mZnr+XTkg3fdXAGu3NhGk4BPd7i3JBOvY3Ey9W1q83r1M2myhkBKBETZ5psq9 qsWlU3g8mjjjVMy5AYr58+JIHUT6bQ/kl0tPf4duHZY9CkyW27AxuZf5bDGWZAdnUZTO jg+IrC+w4uInegEewE4pbtgD/UQ2BUkgJqo2aPAoyQrnxaxbeWGKZbq62pJsxxG+DUO7 NSWX64lcuWP/wKqOrgNHXaDwFg0XGgoZrfkzWb2VVLqosU+CauzyavjfXTZ2pO9uh6oB XB4Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=pKbx5302u8+4HoV9O5E3l4X+IaudPToy2K2RFI6pATk=; b=Bxm4oU7Kzds6n71MjP6emX5AKRYxOS4W95Dkk2+LhGBrN/PlsUPPs9BlSVoobXRPHx cV9M/4MrkKHRcZ9ikN7AAcERt4TVA0T88pUnPXtkgCSO1BndW9LOqeJxNPWwb499+Pvc bGNdUIQ0ffkSorueenIACf2Vc6Do5FNec6XtmiwBvJ/8p/IdycctBTmytRu5iKsqZACz P7L9B8lN9nG/QtWOyB+gHKcTfrwOayKi3ZuCv1+PMfUhv4dWsPeCpwZVDCMFTfrEiEUb z9bpyP8+qfkk7e+H2hP5NJnY5DC9XGIVQLzuCdQrJs5nK2GxEIeWjcxs7ahSQ+hIzsM9 DYhQ==
X-Gm-Message-State: APjAAAVKF5Pb37PVK870JOFWn9gzw+XX7bEkwMtDuxbaJwYGEewyNRjC gxL6qILfg/hnaqsGKGK8Ax/sQ5IG40T6m2i9KloIPAu9
X-Google-Smtp-Source: APXvYqyP8iYgn8WwLffff3QkAFYmIVfixsd8vNlgB3mguRxHucx6L/SGuR+50UcDs94Pa3InpLd3NYxWR1Y1myLHU7c=
X-Received: by 2002:ab0:18a1:: with SMTP id t33mr3919094uag.123.1581491645303; Tue, 11 Feb 2020 23:14:05 -0800 (PST)
MIME-Version: 1.0
References: <CAG5P2e_yELKn_ypt2cVAHtoBeNVrpKLqLwuZprq0bm=h4odrHA@mail.gmail.com> <CAF8qwaB0G-PLGSRPxfMoyEEEc8t2D6k_oX9wrZqpPpwS6FPnnA@mail.gmail.com>
In-Reply-To: <CAF8qwaB0G-PLGSRPxfMoyEEEc8t2D6k_oX9wrZqpPpwS6FPnnA@mail.gmail.com>
From: M K Saravanan <mksarav@gmail.com>
Date: Wed, 12 Feb 2020 15:13:54 +0800
Message-ID: <CAG5P2e-6x9xyXSz=K4fCJiAJXR5vOOCBy+Vx4z-yA3KU72u9NQ@mail.gmail.com>
To: David Benjamin <davidben@chromium.org>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000bbce46059e5bb7d8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/t98pE0gpxb0HZ15vCnwqHgp7vKA>
Subject: Re: [TLS] TLS 1.2 - is it allowed to strip the leading zero byte(s) in RSA signature in ServerKeyExchange?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Feb 2020 07:14:09 -0000

Thanks David for the clarification.

with regards,
Saravanan

On Wed, 12 Feb 2020 at 14:53, David Benjamin <davidben@chromium.org>; wrote:

> The signature is invalid. The client is correct to reject it, and the
> server is incorrect to produce it.
>
> RFC5246 cites PKCS1 (then RFC3447, now RFC8017). Both versions spell out
> the signing and verifying operations explicitly. The signing operation must
> produce a fixed-width output and the verification operation must reject
> incorrectly-sized inputs:
> https://tools.ietf.org/html/rfc3447#section-8.2.1
> https://tools.ietf.org/html/rfc3447#section-8.2.2
> https://tools.ietf.org/html/rfc8017#section-8.2.1
> https://tools.ietf.org/html/rfc8017#section-8.2.2
>
>
> On Wed, Feb 12, 2020 at 1:27 AM M K Saravanan <mksarav@gmail.com>; wrote:
>
>> Hi,
>>
>> I recently encountered the below issue:
>>
>> TLS1.2
>> ECDHE_RSA
>> server certificate: 2048-bit RSA (= 256 bytes)
>> ServerKeyExchange hash/sign algorithm: rsa_pkcs1_sha1
>>
>> The server was sending the ServerKeyExchange with 255 byte as length for
>> the RSA signature (i.e. the leading zero was stripped) instead of 256 like
>> this:
>>
>> ====================
>> Handshake Protocol: Server Key Exchange
>>     Handshake Type: Server Key Exchange (12)
>>     Length: 328
>>     EC Diffie-Hellman Server Params
>>         Curve Type: named_curve (0x03)
>>         Named Curve: secp256r1 (0x0017)
>>         Pubkey Length: 65
>>         Pubkey: 042206562efea8bd47bf014a9e650c42f27078643c553671…
>>         Signature Algorithm: rsa_pkcs1_sha1 (0x0201)
>>         Signature Length: 255
>>         Signature: d1bf915eca2ec0bcdda6f90a398fe5378d2028a22574d213…
>> ====================
>>
>> Is this allowed?  i.e. stripping the leading zero of the RSA signature
>> and marking the length as 255?   It is not clear to me from the RFC5246
>> whether it is allowed or not.
>>
>> (client was failing to verify the signature due to this).
>>
>> with regards,
>> Saravanan
>>
>> _______________________________________________
>> TLS mailing list
>> TLS@ietf.org
>> https://www.ietf.org/mailman/listinfo/tls
>>
>