Mailing List Archive: GnuPG: users

gpgsm --import of CA certificate: Bad signature?

Index | Next | Previous | View Threaded

simon at josefsson

Apr 17, 2007, 11:14 AM

Post #1 of 8 (944 views)
Permalink

gpgsm --import of CA certificate: Bad signature?

Hi! I'm trying to get Scute working in Mozilla (as a first step
towards making GnuTLS also use it as a PKCS#11 module). I imported my
newly generated certificate into gpgsm as follows:

jas [at] mocc:~$ gpgsm --import .gnupg/test-key.pem
gpgsm: issuer certificate {E93C1CFBAD926EE606A4562CA2E1C05327C8F295} not found using authorityKeyIdentifier
gpgsm: issuer certificate (#/CN=GnuTLS test CA) not found
gpgsm: issuer certificate {E93C1CFBAD926EE606A4562CA2E1C05327C8F295} not found using authorityKeyIdentifier
gpgsm: total number processed: 1
gpgsm: unchanged: 1
jas [at] mocc:~$

I guessed that it wouldn't hurt to import the CA certificate too. But
here's what happened then:

jas [at] mocc:~$ gpgsm --import ~/src/www-gnutls/test-credentials/x509-ca.pem
gpgsm: self-signed certificate has a BAD signature: Bad signature
gpgsm: basic certificate checks failed - not imported
gpgsm: total number processed: 1
gpgsm: not imported: 1
jas [at] mocc:~$

As far as I can tell, there is nothing wrong with this certificate.
Ideas?

You can retrieve the certificate from:
http://www.gnu.org/software/gnutls/test-credentials/x509-ca.pem

I'm using GnuPG 2.0.3.

I don't know if it is relevant, but the list of 'Supported algorithms'
seems rather short:

jas [at] mocc:~$ gpgsm --version
gpgsm (GnuPG) 2.0.3
Copyright (C) 2007 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.

Home: ~/.gnupg
Supported algorithms:
jas [at] mocc:~$

/Simon

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users

wk at gnupg

Apr 17, 2007, 2:24 PM

Post #2 of 8 (878 views)
Permalink

Re: gpgsm --import of CA certificate: Bad signature? [In reply to]

On Tue, 17 Apr 2007 20:14, simon [at] josefsson said:

> As far as I can tell, there is nothing wrong with this certificate.
> Ideas?

If you look at the pkcs#1 encoding, you get:

Your certificate:

0 30 31: SEQUENCE {
2 30 7: SEQUENCE {
4 06 5: OBJECT IDENTIFIER sha1 (1 3 14 3 2 26)
: }
11 04 20: OCTET STRING
: 2D E8 78 BE 21 E4 F4 3F FE 26 9F F3 20 20 9C BC
: D3 CE E6 23
: }

gpgsm constructs this pkcs#1 to compare it against yours:

0 30 33: SEQUENCE {
2 30 9: SEQUENCE {
4 06 5: OBJECT IDENTIFIER sha1 (1 3 14 3 2 26)
11 05 0: NULL
: }
13 04 20: OCTET STRING
: 2D E8 78 BE 21 E4 F4 3F FE 26 9F F3 20 20 9C BC
: D3 CE E6 23
: }

Thus we have an extra NULL and that is the reason that it does not
verify. I am too tired to read pkcs#1 know; will do that tomorrow.
Anyway it is the first case that I noticed such a pkcs#1 encoding.

> I don't know if it is relevant, but the list of 'Supported algorithms'
> seems rather short:

Well there is no routine yet to print them. It would actually be a long
list given all the OIDs you may use to tell taht it is RSA or SHA1 or
whatever.

Salam-Shalom,

Werner

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users

wk at gnupg

Apr 18, 2007, 12:39 AM

Post #3 of 8 (880 views)
Permalink

Re: gpgsm --import of CA certificate: Bad signature? [In reply to]

Hi,

whether the optional parameter of the AlgorithmIdentifier is really
optional has changed over time. My ASN.1 derived from the German Sphinx
profile state:

AlgorithmIdentifier ::= SEQUENCE {
algorithm OBJECT IDENTIFIER,
parameters ANY DEFINED BY algorithm OPTIONAL
-- should be used but set to NULL
}

rfc3280 (X.509) does not have this remark. Peter Gutmann's X.509 guide
explains this issue:

Another pitfall to be aware of is that algorithms which have no
parameters have this specified as a NULL value rather than omitting
the parameters field entirely. The reason for this is that when the
1988 syntax for AlgorithmIdentifier was translated into the 1997
syntax, the OPTIONAL associated with the AlgorithmIdentifier
parameters got lost. Later it was recovered via a defect report, but
by then everyone thought that algorithm parameters were mandatory.
Because of this the algorithm parameters should be specified as NULL,
regardless of what you read elsewhere.

How did you create this certificate?

Salam-Shalom,

Werner

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users

simon at josefsson

Apr 18, 2007, 2:39 AM

Post #4 of 8 (872 views)
Permalink

Re: gpgsm --import of CA certificate: Bad signature? [In reply to]

Werner Koch <wk [at] gnupg> writes:

> Thus we have an extra NULL and that is the reason that it does not
> verify. I am too tired to read pkcs#1 know; will do that tomorrow.
> Anyway it is the first case that I noticed such a pkcs#1 encoding.

Ah, I see. Whether the parameters should be NULL or absent seem to be
a frequent interop problem.

> Hi,
>
> whether the optional parameter of the AlgorithmIdentifier is really
> optional has changed over time. My ASN.1 derived from the German Sphinx
> profile state:
>
> AlgorithmIdentifier ::= SEQUENCE {
> algorithm OBJECT IDENTIFIER,
> parameters ANY DEFINED BY algorithm OPTIONAL
> -- should be used but set to NULL
> }
>
> rfc3280 (X.509) does not have this remark. Peter Gutmann's X.509 guide
> explains this issue:
>
> Another pitfall to be aware of is that algorithms which have no
> parameters have this specified as a NULL value rather than omitting
> the parameters field entirely. The reason for this is that when the
> 1988 syntax for AlgorithmIdentifier was translated into the 1997
> syntax, the OPTIONAL associated with the AlgorithmIdentifier
> parameters got lost. Later it was recovered via a defect report, but
> by then everyone thought that algorithm parameters were mandatory.
> Because of this the algorithm parameters should be specified as NULL,
> regardless of what you read elsewhere.
>
> How did you create this certificate?

With GnuTLS' certtool.

RFC 3280 references RFC 3279 on this, and it says:

When any of these three OIDs appears within the ASN.1 type
AlgorithmIdentifier, the parameters component of that type SHALL be
the ASN.1 type NULL.

RFC 3279 is updated by RFC 4055 which says in section 2.1 (in
particular the second paragraph):

There are two possible encodings for the AlgorithmIdentifier
parameters field associated with these object identifiers. The two
alternatives arise from the loss of the OPTIONAL associated with the
algorithm identifier parameters when the 1988 syntax for
AlgorithmIdentifier was translated into the 1997 syntax. Later the
OPTIONAL was recovered via a defect report, but by then many people
thought that algorithm parameters were mandatory. Because of this
history some implementations encode parameters as a NULL element
while others omit them entirely. The correct encoding is to omit the
parameters field; however, when RSASSA-PSS and RSAES-OAEP were
defined, it was done using the NULL parameters rather than absent
parameters.

All implementations MUST accept both NULL and absent parameters as
legal and equivalent encodings.

To be clear, the following algorithm identifiers are used when a NULL
parameter MUST be present:

sha1Identifier AlgorithmIdentifier ::= { id-sha1, NULL }
sha224Identifier AlgorithmIdentifier ::= { id-sha224, NULL }
sha256Identifier AlgorithmIdentifier ::= { id-sha256, NULL }
sha384Identifier AlgorithmIdentifier ::= { id-sha384, NULL }
sha512Identifier AlgorithmIdentifier ::= { id-sha512, NULL }

Although it may be argued that RFC 4055 only applies to RSA-PSS,
although this particular section is not clear that it only applies to
RSA-PSS.

I should probably change GnuTLS here.

/Simon

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users

wk at gnupg

Apr 18, 2007, 3:33 AM

Post #5 of 8 (876 views)
Permalink

Re: gpgsm --import of CA certificate: Bad signature? [In reply to]

On Wed, 18 Apr 2007 11:39, simon [at] josefsson said:

> RFC 3279 is updated by RFC 4055 which says in section 2.1 (in
> particular the second paragraph):

Which is actually Peter's text but with a different suggestion.

> Although it may be argued that RFC 4055 only applies to RSA-PSS,
> although this particular section is not clear that it only applies to
> RSA-PSS.

The problem is that allowing for different encodings will require a
complete DER (or well for some old specs even BER) parser in libgcrypt.
Not long ago most crypto libraries showed implementaion flaws in that -
libgcrypt didn't suffer from this due its poor man's and simple approach
to checkthe RSA signature. Given that the code in gpgsm/libgcrypt has
passed several compatibility tests I doubnt that it is a good idea to
change it now and open the way to introduce new bugs.

> I should probably change GnuTLS here.

I'd appreciate that. If it later turns out that too many gnutls created
certificates are in use we might consider to add a hack to gpgsm just
for the SHA-1 case.

Shalom-Salam,

Werner

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users

simon at josefsson

Apr 18, 2007, 5:11 AM

Post #6 of 8 (868 views)
Permalink

Re: gpgsm --import of CA certificate: Bad signature? [In reply to]

Werner Koch <wk [at] gnupg> writes:

>> Although it may be argued that RFC 4055 only applies to RSA-PSS,
>> although this particular section is not clear that it only applies to
>> RSA-PSS.
>
> The problem is that allowing for different encodings will require a
> complete DER (or well for some old specs even BER) parser in libgcrypt.
> Not long ago most crypto libraries showed implementaion flaws in that -
> libgcrypt didn't suffer from this due its poor man's and simple approach
> to checkthe RSA signature. Given that the code in gpgsm/libgcrypt has
> passed several compatibility tests I doubnt that it is a good idea to
> change it now and open the way to introduce new bugs.

It is possible to avoid a DER/BER decoder if you generate two
structures, one with NULL parameters and one with absent parameters,
and compare both against what's in the decrypted signatures.

>> I should probably change GnuTLS here.
>
> I'd appreciate that. If it later turns out that too many gnutls created
> certificates are in use we might consider to add a hack to gpgsm just
> for the SHA-1 case.

GnuTLS accepts both variants, so I made the change. I'll release an
updated stable version to help get it out as soon as possible.

/Simon

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users

wk at gnupg

Apr 18, 2007, 6:11 AM

Post #7 of 8 (864 views)
Permalink

Re: gpgsm --import of CA certificate: Bad signature? [In reply to]

On Wed, 18 Apr 2007 14:11, simon [at] josefsson said:

> It is possible to avoid a DER/BER decoder if you generate two
> structures, one with NULL parameters and one with absent parameters,
> and compare both against what's in the decrypted signatures.

There is a plan tomove pkcs#1 decoding into libgcrypt. This would allow
us to do a second compare without too much changes. I'll put it onto my
todo list but don't expect it to happen anytime soon.

> GnuTLS accepts both variants, so I made the change. I'll release an
> updated stable version to help get it out as soon as possible.

Would it be sufficient to do that just for SHA-1? In that case a hack
in cipher/rsa.c would do the trick without too much fear of regression.

Salam-Shalom,

Werner

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users

simon at josefsson

Apr 18, 2007, 8:34 AM

Post #8 of 8 (871 views)
Permalink

Re: gpgsm --import of CA certificate: Bad signature? [In reply to]

Werner Koch <wk [at] gnupg> writes:

> On Wed, 18 Apr 2007 14:11, simon [at] josefsson said:
>
>> It is possible to avoid a DER/BER decoder if you generate two
>> structures, one with NULL parameters and one with absent parameters,
>> and compare both against what's in the decrypted signatures.
>
> There is a plan tomove pkcs#1 decoding into libgcrypt. This would allow
> us to do a second compare without too much changes. I'll put it onto my
> todo list but don't expect it to happen anytime soon.

Doing PKCS#1 in libgcrypt would be useful for GnuTLS too. I'd like to
remove that code in the long run... OTOH, it seems likely that GnuTLS
will use some assuan-like protocol and an agent to do private key
signing operations, so maybe this concern will be moot.

>> GnuTLS accepts both variants, so I made the change. I'll release an
>> updated stable version to help get it out as soon as possible.
>
> Would it be sufficient to do that just for SHA-1? In that case a hack
> in cipher/rsa.c would do the trick without too much fear of regression.

I don't know. If you do it for SHA-1, that will cover many practical
situations and that may be enough.

/Simon

_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads