-
-
Notifications
You must be signed in to change notification settings - Fork 9.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
rsassa-pss not supported with openssl ts -verify #7904
Comments
I am currently looking into this; seems to be a valid point. |
Could you clarify exactly what your issue with timestamp verification is, because I've just successfully verified a TS response signed with a rsassa-pss cert (which was in turn signed by a root rsassa-pss CA cert)? |
Thanks for your support.
I am just struggling to get some test data. Unfortunately it is not easy. Please be patient, I’ll do my very best. I’ll reply as soon as I have the files.
Von: Quantomicus <notifications@github.com>
Gesendet: Mittwoch, 19. Dezember 2018 18:10
An: openssl/openssl <openssl@noreply.github.com>
Cc: brndrdck <bernd.rudack@witten-schnee.de>; Author <author@noreply.github.com>
Betreff: Re: [openssl/openssl] rsassa-pss not supported with openssl ts -verify (#7904)
Could you clarify exactly what your issue with timestamp verification is, because I've just successfully verified a TS response signed with a rsassa-pss cert (which was in turn signed by a root rsassa-pss CA cert)?
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub <#7904 (comment)> , or mute the thread <https://github.com/notifications/unsubscribe-auth/ArwlxYD0AOPGop-RhazhNxiPWki_7G2bks5u6nLZgaJpZM4ZUPJ6> . <https://github.com/notifications/beacon/ArwlxZGb2O9p5Rl2l7LOMeFst6uIrkvTks5u6nLZgaJpZM4ZUPJ6.gif>
|
Hi Quantomicus,
sorry for the delay. I fortunately got more information from D-Trust TSA. They sent me a bunch of test files.
The attached tar archive contains 3 directories:
OK:
* a bunch of time stamp requests with
nonce/no_nonce
cert chain includes in response / cert Chain not included in response
* certificate chain
* root ca certificate
* script verify.sh
The data file and the requests (.tsq) are the same as in the directory “NOT_OK” (see below)
The TSA is a test CA of the University of Graz. They use sha256 with rsa encryption.
Verification of certificate chain as well as verification of the time stamps work properly.
dtr_certs:
Here you will find the certificates of the productive TSA of D-Trust (www.d-trust.net <http://www.d-trust.net> ). Unfortunately I cannot provide an example
of the timestamp and the problem with rsassa-pss but the certificate chain verification works (verify.sh)
NOT_OK:
* a bunch of time stamp requests with
nonce/no_nonce
cert chain includes in response / cert Chain not included in response
* certificate chain
* root ca certificate
* script verify.sh
Running verify.sh you will notice 2 issues:
1. certificate chain verification does not work completely. You can verify the sub CA but not the leaf certificate.
The certificates should be similar to those in dtr_certs. I tried to compare the certs manually but I didn’t’ find
any hint
2. running openssl ts -verify the problem with the padding occurred. It is the same error message (just the line with PKCS1) as in the
production CA.
…--> Verifying example_no-nonce_no-chain.tsr - now with tsq
Using configuration from /home/rudack/openssl-OpenSSL_1_1_1a/apps/openssl.cnf
Verification: FAILED
140139889276736:error:0407008A:rsa routines:RSA_padding_check_PKCS1_type_1:invalid padding:crypto/rsa/rsa_pk1.c:68:
140139889276736:error:04067072:rsa routines:rsa_ossl_public_decrypt:padding check failed:crypto/rsa/rsa_ossl.c:582:
140139889276736:error:21071069:PKCS7 routines:PKCS7_signatureVerify:signature failure:crypto/pkcs7/pk7_doit.c:1037:
140139889276736:error:2F06A06D:time stamp routines:TS_RESP_verify_signature:signature failure:crypto/ts/ts_rsp_verify.c:143:
It would be great if you could find the reason for the issues.
Von: Quantomicus <notifications@github.com>
Gesendet: Mittwoch, 19. Dezember 2018 18:10
An: openssl/openssl <openssl@noreply.github.com>
Cc: brndrdck <bernd.rudack@witten-schnee.de>; Author <author@noreply.github.com>
Betreff: Re: [openssl/openssl] rsassa-pss not supported with openssl ts -verify (#7904)
Could you clarify exactly what your issue with timestamp verification is, because I've just successfully verified a TS response signed with a rsassa-pss cert (which was in turn signed by a root rsassa-pss CA cert)?
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub <#7904 (comment)> , or mute the thread <https://github.com/notifications/unsubscribe-auth/ArwlxYD0AOPGop-RhazhNxiPWki_7G2bks5u6nLZgaJpZM4ZUPJ6> . <https://github.com/notifications/beacon/ArwlxZGb2O9p5Rl2l7LOMeFst6uIrkvTks5u6nLZgaJpZM4ZUPJ6.gif>
|
Thank you for your detailed reply, I'll look into it as soon as I can. Although, as I understand from your reply, you wanted to attach an archive to it, but I found nothing attached (GitHub doesn't have file upload functionality, AFAIK, you might want to use an external file host and reply with the link). Unless I misunderstood you and you are talking (and quoted the email you received) about the archive you were sent? It would be much easier to debug if the test files were publicly available here, though. |
I hope that the upload worked now. |
It did work, thank you. I'll look into this ASAP |
Hi Quantomicus, |
BTW.: Certificate (chain) can be verified on W7 |
I have the same issue as @brndrdck. Please find in openssl-issue-7904.zip the following files to reproduce the error:
Both timestamp tokens are signed by the same certificate, but they timestamp different hashes. Here is a diff of the asn1parse of both tokens (interesting part is in line 72). The token with rsaEncryption is verified:
The token with rsassaPss fails to verify:
Note: I am using OpenSSL v1.1.1a bundled with Git for Windows. |
Hello, I think the cause is the signer's certificate. The sample data show me the following: The public key in the signer's certificate has the type EVP_PKEY_RSA. When verifying, the key is used without further comparison. But according to the SignerInfo in the timestamp, the signature was encrypted using EVP_PKEY_RSA_PSS. (Unfortunately, I do not know if the timestamp creator makes a mistake here or if the verification should detect this case.) Anyway, I have developed a helper solution that in this case uses a temporary public key with the type according to SignerInfo. For this I have developed a new function
and stored in "crypto\x509\x_pubkey.c". (It is a copy of an already existing function with slight changes for my purposes. The error processing (X509err (...)) still needs to be adjusted.) I use the new function in "crypto\ pkcs7\pk7_doit.c" in the function "int PKCS7_signatureVerify (...)". As you can see, I have no experience with the source and structure of the library. But I hope that the analysis is not entirely wrong and the proposed changes help someone else. Here are both functions (openssl 1.1.1): (crypto\x509\x_pubkey.c)
(crypto\pkcs7\pk7_doit.c)
|
I also have similar problem:
Version with @starcmed's fix works correctly (@starcmed, thank you!):
|
More and more people having this issue. Could you please look into this issue? |
To begin with, which openssl version are you all referring to? |
In my case:
|
In my case: 'openssl-1.1.1b' I attached some test files to this message. In this test, I use a timestamp generated by an official TSA:
As can be seen, the verification does not work: Verification: FAILED |
I can confirm the issue of @starcmed in comment 557014714 |
The problem also exists in the current master (b897b35):
|
Cause is indeed RSA_padding_check_PKCS1_type_1 called in rsa_ossl.c not containing support for PSS. A possible/quick work around is switching to CMS_verify() which supports PSS. |
I was just trying to validate S/MIME signatures that use RSA-PSS and I'm really surprised that OpenSSL 3.0.10 does not make it available through
|
With openssl 1.1.1 rsassa-pss is supported. During my tests I could successfully verify certificates or certificate chains where this algorithm was used.
Unfortunately the verification of a timestamp that was signed using rsassa-pss failed. After a look at the source code I noticed, that it is not supported in "openssl ts -verify". The functions as well as the error messages are missing.
Is it possible to add the corresponding code in one of the next sub releases?
The text was updated successfully, but these errors were encountered: