[Help-gnutls] Re: GnuTLS 1.6.2

[Simon Josefsson]

nisse at lysator.liu.se (Niels Möller) writes:

>> Note that different code is used for RSA signing in TLS and RSA
>> signing in X.509 in GnuTLS.  The same problem came up in the TLS
>> context too for TLS v1.2 and there I added the following.  (TLS before
>> v1.2 doesn't use RSA PKCS#1.)
>
> That's strange... I haven't worked at all with TLS or SSL recently,
> but I just looked up the Pike/Roxen SSL-3 implementation which I
> wrote about ten years ago. It uses a NULL parameter. It interoperated
> fine with the Netscape browser at the time. It's later been upgraded
> to support TLS, and at least I haven't heard about any
> interoperability problems.
>
> The relevant file is
> http://pike.ida.liu.se/development/cvs/log.xml?file=7.7/lib/modules/Standards.pmod/PKCS.pmod/Signature.pmod&module=Pike,
> and there are actually no changes to the digestinfo formatting since I
> checked in revision 1.1, 1997-11-30.
>
>   //! @decl string build_digestinfo(string msg, Crypto.Hash hash)
>   //! Construct a PKCS-1 digestinfo
>   //! @param msg
>   //!   message to digest
>   //! @param hash
>   //!   crypto hash object such as @[Crypto.SHA] or @[Crypto.MD5]
>   string build_digestinfo(string msg, HASH hash)
>   {
>     if(!hash->asn1_id) error("Unknown ASN.1 id for hash.\n");
>     string d = hash->hash(msg);
>     string id = hash->asn1_id();
>   
>     return sprintf("%c%c%c%c%c%c%s%c%c%c%c%s",
>                    0x30, sizeof(id) + sizeof(d) + 8, 0x30, sizeof(id) + 4,
>                    0x06, sizeof(id), id, 0x05, 0x00, 0x04, sizeof(d), d);
>   } //                                   ^^^^^^^^^^
>
> Note the NULL object on the final line.
>
> I'm sure you have read the specifications much more recently than I,
> but as far as I remember, SSL and TLS have always used PKCS#1 style
> RSA signatures, so it really surprises me that you say some versions
> of TLS didn't specify that.

Are you sure that code is used for signing in the RSA key exchange
ciphersuites, and not X.509 signing?  The RSA key exchange
ciphersuites in TLS < 1.2 doesn't use RSA-PKCS#1 but sign a
concatenation of the MD5 + SHA1 hash instead, see RFC 4346:

   In RSA signing, a 36-byte structure of two hashes (one SHA and one
   MD5) is signed (encrypted with the private key).  It is encoded with
   PKCS #1 block type 1, as described in [PKCS1A].

Only the padding is according to PKCS#1.  In TLS 1.2, RSA signing is
done using one hash function only, and the hash OID is prepended
(actually the entire structure is the DigestInfo ASN.1 structure, just
like in your code, so it may hold parameters too).

Btw, I noticed that the lastest TLS 1.2 draft says:

   In RSA signing, the opaque vector contains the signature generated
   using the RSASSA-PKCS1-v1_5 signature scheme defined in [PKCS1B].  As
   discussed in [PKCS1B], the DigestInfo MUST be DER encoded and for
   digest algorithms without parameters (which include SHA-1) the
   DigestInfo.AlgorithmIdentifier.parameters field SHOULD be omitted but
   implementations MUST accept both without parameters and with NULL
   parameters. Note that earlier versions of TLS used a different RSA
   signature scheme which did not include a DigestInfo encoding.

Initially I did follow the SHOULD and omitted the NULL, but I had
interop problems with the only other TLS 1.2 implementation I'm aware
of, so I changed GnuTLS.  The old code is still available in a
#if-block, in case this changes again until the RFC is published.

> PS. Feel free to forward this message to some gnutls list if you find
> it appropriate; I'm not sending it to help-gnutls at gnu.org since my
> previous message was automatically rejected.

The list is subscriber-only, I believe, but I added you to the
whitelist now, in case it makes a difference.

/Simon