gpgsm --import of CA certificate: Bad signature?
Simon Josefsson
simon at josefsson.org
Wed Apr 18 11:39:15 CEST 2007
Werner Koch <wk at gnupg.org> writes:
> Thus we have an extra NULL and that is the reason that it does not
> verify. I am too tired to read pkcs#1 know; will do that tomorrow.
> Anyway it is the first case that I noticed such a pkcs#1 encoding.
Ah, I see. Whether the parameters should be NULL or absent seem to be
a frequent interop problem.
> Hi,
>
> whether the optional parameter of the AlgorithmIdentifier is really
> optional has changed over time. My ASN.1 derived from the German Sphinx
> profile state:
>
> AlgorithmIdentifier ::= SEQUENCE {
> algorithm OBJECT IDENTIFIER,
> parameters ANY DEFINED BY algorithm OPTIONAL
> -- should be used but set to NULL
> }
>
> rfc3280 (X.509) does not have this remark. Peter Gutmann's X.509 guide
> explains this issue:
>
> Another pitfall to be aware of is that algorithms which have no
> parameters have this specified as a NULL value rather than omitting
> the parameters field entirely. The reason for this is that when the
> 1988 syntax for AlgorithmIdentifier was translated into the 1997
> syntax, the OPTIONAL associated with the AlgorithmIdentifier
> parameters got lost. Later it was recovered via a defect report, but
> by then everyone thought that algorithm parameters were mandatory.
> Because of this the algorithm parameters should be specified as NULL,
> regardless of what you read elsewhere.
>
> How did you create this certificate?
With GnuTLS' certtool.
RFC 3280 references RFC 3279 on this, and it says:
When any of these three OIDs appears within the ASN.1 type
AlgorithmIdentifier, the parameters component of that type SHALL be
the ASN.1 type NULL.
RFC 3279 is updated by RFC 4055 which says in section 2.1 (in
particular the second paragraph):
There are two possible encodings for the AlgorithmIdentifier
parameters field associated with these object identifiers. The two
alternatives arise from the loss of the OPTIONAL associated with the
algorithm identifier parameters when the 1988 syntax for
AlgorithmIdentifier was translated into the 1997 syntax. Later the
OPTIONAL was recovered via a defect report, but by then many people
thought that algorithm parameters were mandatory. Because of this
history some implementations encode parameters as a NULL element
while others omit them entirely. The correct encoding is to omit the
parameters field; however, when RSASSA-PSS and RSAES-OAEP were
defined, it was done using the NULL parameters rather than absent
parameters.
All implementations MUST accept both NULL and absent parameters as
legal and equivalent encodings.
To be clear, the following algorithm identifiers are used when a NULL
parameter MUST be present:
sha1Identifier AlgorithmIdentifier ::= { id-sha1, NULL }
sha224Identifier AlgorithmIdentifier ::= { id-sha224, NULL }
sha256Identifier AlgorithmIdentifier ::= { id-sha256, NULL }
sha384Identifier AlgorithmIdentifier ::= { id-sha384, NULL }
sha512Identifier AlgorithmIdentifier ::= { id-sha512, NULL }
Although it may be argued that RFC 4055 only applies to RSA-PSS,
although this particular section is not clear that it only applies to
RSA-PSS.
I should probably change GnuTLS here.
/Simon
More information about the Gnupg-users
mailing list