Re: [TLS] Adoption call for draft-davidben-tls13-pkcs1

Hubert Kario <hkario@redhat.com> Wed, 11 December 2019 13:21 UTC

Return-Path: <hkario@redhat.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 75C3012011C for <tls@ietfa.amsl.com>; Wed, 11 Dec 2019 05:21:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.3
X-Spam-Level:
X-Spam-Status: No, score=-4.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=redhat.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YPRhVCu_bkO4 for <tls@ietfa.amsl.com>; Wed, 11 Dec 2019 05:21:55 -0800 (PST)
Received: from us-smtp-delivery-1.mimecast.com (us-smtp-1.mimecast.com [205.139.110.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 616FE120137 for <tls@ietf.org>; Wed, 11 Dec 2019 05:21:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1576070514; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=Cu+tVTOjK7KzZBbWDjNVHHbaycpujpCYpEMe1wNKcS0=; b=OtoP7OplqTz4P2ezYCUuc1zWh6qGkBkfg8ex8BiZdmU7OvrhWP5y9RCbTa22+tEg9QjxnF gn7SQvYjUQDXk8P+uonK6y0Y7VyOlbObd352GA7xJY/xmlJCwZtjmYxiZqB+Km9jJxqKKt 0T81qKQ0I15NhjKiJXDO7bslbB0RyI4=
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-392-xIyTnjz0NRCf3ljO1_kbJQ-1; Wed, 11 Dec 2019 08:21:52 -0500
Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.23]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 65C1318044A8 for <tls@ietf.org>; Wed, 11 Dec 2019 13:21:51 +0000 (UTC)
Received: from localhost (ovpn-200-54.brq.redhat.com [10.40.200.54]) by smtp.corp.redhat.com (Postfix) with ESMTPS id F3863165F0 for <tls@ietf.org>; Wed, 11 Dec 2019 13:21:50 +0000 (UTC)
From: Hubert Kario <hkario@redhat.com>
To: tls@ietf.org
Date: Wed, 11 Dec 2019 14:21:48 +0100
MIME-Version: 1.0
Message-ID: <8f54acb3-61df-4617-b2c6-53b8c9021575@redhat.com>
In-Reply-To: <20191207102017.GA1754124@LK-Perkele-VII>
References: <843cc437-4c6d-43ce-b634-527a287c4e27@www.fastmail.com> <c4bab542-f1fd-4c80-89b8-1b7a3ef883a7@www.fastmail.com> <CAMfhd9W_+1i=Q48GKAxT=TtHm+fKxUKUepqCtfJ7xQ6LgM4h_w@mail.gmail.com> <CAEMoRCshwo1vsb+bYbJLpOCMWGcJ15sz8COXeXbxmX-KDbY8Mw@mail.gmail.com> <20191207102017.GA1754124@LK-Perkele-VII>
Organization: Red Hat
User-Agent: Trojita/0.7; Qt/5.12.5; xcb; Linux; Fedora release 30 (Thirty)
X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23
X-MC-Unique: xIyTnjz0NRCf3ljO1_kbJQ-1
X-Mimecast-Spam-Score: 0
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/u4nWhgQnF0v8HTJvlSiQk2uaLxg>
Subject: Re: [TLS] Adoption call for draft-davidben-tls13-pkcs1
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Dec 2019 13:21:59 -0000

On Saturday, 7 December 2019 11:20:17 CET, Ilari Liusvaara wrote:
> On Fri, Dec 06, 2019 at 11:09:48AM -0600, Darin Pettis wrote:
>> On Thu, Nov 14, 2019 at 4:43 PM Adam Langley 
>> <agl@imperialviolet.org> wrote:
>>> People on this list who manage large corporate networks may wish to pay
>>> attention to this: while you may not have updated servers to TLS 1.3 yet,
>>> eventually it'll happen and I suspect some will find a significant amount
>>> of things like TPMs, in which you currently have client-certificate keys,
>>> which only sign with PKCS#1 v1.5. Without this draft adopted and ...
>> 
>> Adam - Wanted to thank you for the call-out to people on the list managing
>> large corporate networks.  Looking into the mutual 
>> authentication supported
>> protocols issue that you and David raised.  Will evaluate potential future
>> impact.
>
> There are also library issues where the physical device does allow
> RSA-PSS (e.g., because they can perform raw RSA root on arbitrary
> values[1]), but libraries/drivers do not support it.
>
> One test I just tried:
>
> - Smartcard capable of raw RSA.
> - OpenSC PKCS#11 drivers.
> - Firefox ESR 68
> - Server supports TLS 1.3 (Accept RSA PKCS#1v1.5 client signatures is
>   enabled[2]).
>
> Result: Failed. Client hits internal error code SEC_ERROR_LIBRARY_FAILURE
> [3].

That doesn't match my understanding of how NSS works – AFAIK, NSS (and as
such, Firefox), will try both raw RSA and rsa-pss signatures with the 
token,
depending on what kind of algorithms the token advertises. 

I think the issue was the old version of OpenSC, new versions can do 
rsa-pss
with rsa-raw:
https://bugzilla.redhat.com/show_bug.cgi?id=1595626
https://github.com/OpenSC/OpenSC/pull/1435

> [1] Yeah, not great for security, but some devices are like that.
>
> [2] That option was a hack to make things work with Firefox ESR 52,
> which did send RSA PKCS#1v1.5 client signature (scheme 0x0401) in
> comparable situation.
>
> [3] My guess would be that browser asks drivers for RSA-PSS, which they
> do not support, causing the error.

-- 
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 115, 612 00  Brno, Czech Republic