[PATCH] MD2 for libgcrypt
smueller at chronox.de
Mon Jul 19 20:15:37 CEST 2010
Am Montag 19 Juli 2010, um 19:38:30 schrieb Daniel Kahn Gillmor:
> On 07/16/2010 03:29 PM, Stephan Mueller wrote:
> > as the issue with the Verisign CA certificates would be solved with this
> > patch and considering that the Verisign CAs are used pervasively, may I
> > ask whether it is possible to add the Verisign CAs to com-certs.pem?
> are you talking about certificates for the verisign root(s)? or are you
> talking about intermediate verisign CA certificate?
> If it's the former, the digest used shouldn't matter -- what matters is
> the public key material and any internal constraints set (e.g.
> expiration dates). Validating a self-signature (esp. one with a
> known-weak digest) for a trusted root CA certificate is a basically
> meaningless operation.
Both, there is the root cert (and I concur with your assessment), but there
are also intermediate certs with MD2 too.
The problem with any of these MD2 certs is that you cannot do a gpgsm --import
because gpgsm simply rejects them due to the MD2 hash. And during the import,
the hash is also validated. So, unless you want to break gpgsm (a bad thing to
do), you have no choice but to implement MD2 to allow these certs to be
> > However, I have one question: as far as I understand, the list in
> > com-certs.pem are used as trusted certificates, not needing to reference
> > them in trustlist.txt. However, the Verisign CA certs all need the
> > "relax" flag as otherwise the CA cert is not accepted by gpgsm.
> If there are specific warnings that come up in this use case with
> Verisign CA certs, we should address those warnings as specific bugs
> themselves unrelated to the MD2 implementation (or lack thereof).
The issue is that the CA certs and intermediate certs are simply broken, look
$ gpgsm --dump-keys 77AF556F
Issuer: OU=Class 1 Public Primary Certification Authority,O=VeriSign\,
Subject: OU=Class 1 Public Primary Certification Authority,O=VeriSign\,
notBefore: 1996-01-29 00:00:00
notAfter: 2028-08-01 23:59:59
hashAlgo: 1.2.840.113522.214.171.124 (md2WithRSAEncryption)
keyType: 1024 bit RSA
You see, there is no key usage or such.
> I'm not arguing for discarding the offered MD2 patch (this functionality
> would be good to have available), but i don't think it's relevant in the
> scenario you're describing (at least as i understand it).
Well, Werner already told me that he is not integrating the patches. However,
as the patches only enable the signature verification of an already existing
signature, I cannot fully understand the decision.
> Are there specific bugs related to the use of verisign root CA certs?
Not in gpgsm, only with the certs themselves.
More information about the Gcrypt-devel