[Help-gnutls] Re: GnuTLS 1.6.2

Simon Josefsson simon at josefsson.org
Wed Apr 18 22:05:46 CEST 2007 

nisse at lysator.liu.se (Niels Möller) writes:

> Simon Josefsson <simon at josefsson.org> writes:
>
>> ** Fix X.509 signing with RSA-PKCS#1 to set a NULL parameters fields.
>> Before, we remove the parameters field, which resulted in a slightly
>> different DER encoding which in turn caused signature verification
>> failures of GnuTLS-generated RSA certificates in some other
>> implementations (e.g., GnuPG 2.x's gpgsm).  Depending on which RFCs
>> you read, this may or may not be correct, but our new behaviour appear
>> to be consistent with other widely used implementations.
>
> Hmm, does that mean that you use equivalent signature generation as
> nettle? This is what I use (for md5; sha1 and sha256 are similar).
>
> nettle/pkcs1-rsa-md5:
>
>   /* From pkcs-1v2
>    *
>    *   md5 OBJECT IDENTIFIER ::=
>    *     {iso(1) member-body(2) US(840) rsadsi(113549) digestAlgorithm(2) 5}
>    *
>    * The parameters part of the algorithm identifier is NULL:
>    *
>    *   md5Identifier ::= AlgorithmIdentifier {md5, NULL}
>    */
>   
>   static const uint8_t
>   md5_prefix[] =
>   {
>     /* 18 octets prefix, 16 octets hash, 34 total. */
>     0x30,       32, /* SEQUENCE */
>       0x30,     12, /* SEQUENCE */
>         0x06,    8, /* OBJECT IDENTIFIER */
>     	0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x02, 0x05,
>         0x05,    0, /* NULL */
>       0x04,     16  /* OCTET STRING */
>         /* Here comes the raw hash value */
>   };

Yes.  In earlier versions, X.509 RSA signatures did not have the NULL
at all, but had an empty field.

Note that different code is used for RSA signing in TLS and RSA
signing in X.509 in GnuTLS.  The same problem came up in the TLS
context too for TLS v1.2 and there I added the following.  (TLS before
v1.2 doesn't use RSA PKCS#1.)

#if 1
      /* Use NULL parameters. */
      memcpy (concat,
	      "\x30\x21\x30\x09\x06\x05\x2b\x0e\x03\x02\x1a\x05\x00\x04\x14",
	      15);
      _gnutls_hash_deinit (td_sha, &concat[15]);
      dconcat.size = 35;
#else
      /* No parameters field. */
      memcpy (concat,
	      "\x30\x1f\x30\x07\x06\x05\x2b\x0e\x03\x02\x1a\x04\x14",
	      13);
      _gnutls_hash_deinit (td_sha, &concat[13]);
      dconcat.size = 33;
#endif

/Simon

More information about the Gnutls-help mailing list