openssl cms resign with RSA-PSS corrupts the CMS(?)
Locked
openssl cms resign with RSA-PSS corrupts the CMS(?)
 
|
Hello, I am trying to resign a CMS using the openssl tool. When I use RSA-PKCS1 everything is working fine. When I use RSA-PSS it seems like the asn1 is produced corrupted, I do not see the signature in asn1dump. I prepared a demo[1] to help people reproduce the issue, tested with openssl-1.1.1i. The script output pasted below shows that CMS resign without PSS works correctly, while the same sequence with PSS produces a corrupted CMS file. What am I doing wrong? Regards, Alon Bar-Lev --- =============== CMS without PSS =============== cms -sign 1.cms cms -verify 1.cms hello world Verification successful cms -resign 1.cms to 2.cms cms -verify 2.cms hello world Verification successful =============== CMS with PSS =============== cms -sign 1.cms cms -verify 1.cms hello world Verification successful cms -resign 1.cms to 2.cms cms -verify 2.cms Error reading S/MIME message 140438977062208:error:0D078079:asn1 encoding routines:asn1_item_embed_d2i:field missing:../crypto/asn1/tasn_dec.c:425:Field=algorithm, Type=X509_ALGOR 140438977062208:error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:../crypto/asn1/tasn_dec.c:646:Field=signatureAlgorithm, Type=CMS_SignerInfo 140438977062208:error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:../crypto/asn1/tasn_dec.c:614:Field=signerInfos, Type=CMS_SignedData 140438977062208:error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:../crypto/asn1/tasn_dec.c:646: 140438977062208:error:0D08403A:asn1 encoding routines:asn1_template_ex_d2i:nested asn1 error:../crypto/asn1/tasn_dec.c:496:Field=d.signedData, Type=CMS_ContentInfo FATAL: verify 2.cms failed |
Re: openssl cms resign with RSA-PSS corrupts the CMS(?)
|
|
--On Saturday, February 13, 2021 11:23 PM +0200 Alon Bar-Lev <[hidden email]> wrote: > I prepared a demo[1] to help people reproduce the issue, tested with > openssl-1.1.1i. Maybe <https://github.com/openssl/openssl/issues/13931> ? --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com> |
Re: openssl cms resign with RSA-PSS corrupts the CMS(?)
|
|
In reply to this post by alon.barlev (Bugzilla)
On Sat, Feb 13, 2021 at 11:34 PM Quanah Gibson-Mount <[hidden email]> wrote:
> --On Saturday, February 13, 2021 11:23 PM +0200 Alon Bar-Lev > <[hidden email]> wrote: > > > I prepared a demo[1] to help people reproduce the issue, tested with > > openssl-1.1.1i. > > Maybe <https://github.com/openssl/openssl/issues/13931> ? > Thanks Quanah, I tested OpenSSL_1_1_1-stable branch which should have fixed the issue, the result is the same. Regards, Alon |
Re: openssl cms resign with RSA-PSS corrupts the CMS(?)
|
|
In reply to this post by alon.barlev (Bugzilla)
Hello OpenSSL masters, Can someone please try to reproduce the below issue? Thanks, Alon On Sat, 13 Feb 2021 at 23:23 Alon Bar-Lev <[hidden email]> wrote:
|
Re: openssl cms resign with RSA-PSS corrupts the CMS(?)
|
|
Hi Alon, I am able to reproduce this issue with 1.1.1i echo "hello world" > msg /* pkcs1 */ openssl cms -sign -in msg -text -signer cert1.pem -out 1.cms openssl cms -verify -in 1.cms -CAfile ca.pem openssl cms -resign -in 1.cms -signer cert2.pem -out 2.cms openssl cms -verify -in 2.cms -CAfile ca.pem /* pss */ openssl cms -sign -in msg -text -signer cert1.pem -out 1.cms -keyopt rsa_padding_mode:pss openssl cms -verify -in 1.cms -CAfile ca.pem openssl cms -resign -in 1.cms -signer cert2.pem -out 2.cms -keyopt rsa_padding_mode:pss openssl cms -verify -in 2.cms -CAfile ca.pem Thanks, Thulasi. On Fri, 19 Feb 2021 at 13:16, Alon Bar-Lev <[hidden email]> wrote:
|
Re: openssl cms resign with RSA-PSS corrupts the CMS(?)
|
|
On Fri, Feb 19, 2021 at 11:19:42PM +0530, Thulasi Goriparthi wrote:
> I am able to reproduce this issue with 1.1.1i OpenSSL 1.1.1j has been released. Do you still see the problem with 1.1.1j? -- Viktor. |
Re: openssl cms resign with RSA-PSS corrupts the CMS(?)
|
|
I am able to reproduce this issue with 1.1.1j too. openssl version -a OpenSSL 1.1.1j 16 Feb 2021 built on: Fri Feb 19 18:56:06 2021 UTC platform: darwin64-x86_64-cc options: bn(64,64) rc4(16x,int) des(int) idea(int) blowfish(ptr) compiler: cc -fPIC -arch x86_64 -g -Wall -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -D_REENTRANT -DNDEBUG OPENSSLDIR: "/usr/local/ssl" ENGINESDIR: "/usr/local/lib/engines-1.1" Seeding source: os-specific openssl cms -sign -in msg -text -signer cert1.pem -out 1.cms -keyopt rsa_padding_mode:pss openssl cms -verify -in 1.cms -CAfile ca.pem Content-Type: text/plain hello world Verification successful openssl cms -resign -in 1.cms -signer cert2.pem -out 2.cms -keyopt rsa_padding_mode:pss openssl cms -verify -in 2.cms -CAfile ca.pem Error reading S/MIME message 4757167552:error:0D078079:asn1 encoding routines:asn1_item_embed_d2i:field missing:crypto/asn1/tasn_dec.c:425:Field=algorithm, Type=X509_ALGOR 4757167552:error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:crypto/asn1/tasn_dec.c:646:Field=signatureAlgorithm, Type=CMS_SignerInfo 4757167552:error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:crypto/asn1/tasn_dec.c:615:Field=signerInfos, Type=CMS_SignedData 4757167552:error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:crypto/asn1/tasn_dec.c:646: 4757167552:error:0D08403A:asn1 encoding routines:asn1_template_ex_d2i:nested asn1 error:crypto/asn1/tasn_dec.c:496:Field=d.signedData, Type=CMS_ContentInfo 4757167552:error:0D0D106E:asn1 encoding routines:b64_read_asn1:decode error:crypto/asn1/asn_mime.c:143: 4757167552:error:0D0D40CC:asn1 encoding routines:SMIME_read_ASN1:asn1 sig parse error:crypto/asn1/asn_mime.c:451: Thanks, Thulasi. On Sat, 20 Feb 2021 at 00:09, Viktor Dukhovni <[hidden email]> wrote: On Fri, Feb 19, 2021 at 11:19:42PM +0530, Thulasi Goriparthi wrote: |
Re: openssl cms resign with RSA-PSS corrupts the CMS(?)
|
|
Thanks! Was about to write... I tested both 1.1 and master branches and result is the same. On Fri, 19 Feb 2021 at 21:04 Thulasi Goriparthi <[hidden email]> wrote:
|
Re: openssl cms resign with RSA-PSS corrupts the CMS(?)
|
|
With PSS, for the first signature, PSS alg ID and params are encoded correctly, but not for the second signature(resign). 2542:d=7 hl=2 l= 9 prim: OBJECT :S/MIME Capabilities 2553:d=7 hl=2 l= 108 cons: SET 2555:d=8 hl=2 l= 106 cons: SEQUENCE 2557:d=9 hl=2 l= 11 cons: SEQUENCE 2559:d=10 hl=2 l= 9 prim: OBJECT :aes-256-cbc 2570:d=9 hl=2 l= 11 cons: SEQUENCE 2572:d=10 hl=2 l= 9 prim: OBJECT :aes-192-cbc 2583:d=9 hl=2 l= 11 cons: SEQUENCE 2585:d=10 hl=2 l= 9 prim: OBJECT :aes-128-cbc 2596:d=9 hl=2 l= 10 cons: SEQUENCE 2598:d=10 hl=2 l= 8 prim: OBJECT :des-ede3-cbc 2608:d=9 hl=2 l= 14 cons: SEQUENCE 2610:d=10 hl=2 l= 8 prim: OBJECT :rc2-cbc 2620:d=10 hl=2 l= 2 prim: INTEGER :80 2624:d=9 hl=2 l= 13 cons: SEQUENCE 2626:d=10 hl=2 l= 8 prim: OBJECT :rc2-cbc 2636:d=10 hl=2 l= 1 prim: INTEGER :40 2639:d=9 hl=2 l= 7 cons: SEQUENCE 2641:d=10 hl=2 l= 5 prim: OBJECT :des-cbc 2648:d=9 hl=2 l= 13 cons: SEQUENCE 2650:d=10 hl=2 l= 8 prim: OBJECT :rc2-cbc 2660:d=10 hl=2 l= 1 prim: INTEGER :28 2663:d=5 hl=2 l= 0 cons: SEQUENCE 2665:d=5 hl=2 l= 0 prim: OCTET STRING 2667:d=4 hl=4 l= 723 cons: SEQUENCE 2671:d=5 hl=2 l= 1 prim: INTEGER :01 2674:d=5 hl=3 l= 149 cons: SEQUENCE 2677:d=6 hl=3 l= 143 cons: SEQUENCE 2680:d=7 hl=2 l= 11 cons: SET 2682:d=8 hl=2 l= 9 cons: SEQUENCE 2684:d=9 hl=2 l= 3 prim: OBJECT :countryName 2689:d=9 hl=2 l= 2 prim: PRINTABLESTRING :IN 2693:d=7 hl=2 l= 11 cons: SET ==multiple lines truncated== 2949:d=7 hl=2 l= 9 prim: OBJECT :S/MIME Capabilities 2960:d=7 hl=2 l= 108 cons: SET 2962:d=8 hl=2 l= 106 cons: SEQUENCE 2964:d=9 hl=2 l= 11 cons: SEQUENCE 2966:d=10 hl=2 l= 9 prim: OBJECT :aes-256-cbc 2977:d=9 hl=2 l= 11 cons: SEQUENCE 2979:d=10 hl=2 l= 9 prim: OBJECT :aes-192-cbc 2990:d=9 hl=2 l= 11 cons: SEQUENCE 2992:d=10 hl=2 l= 9 prim: OBJECT :aes-128-cbc 3003:d=9 hl=2 l= 10 cons: SEQUENCE 3005:d=10 hl=2 l= 8 prim: OBJECT :des-ede3-cbc 3015:d=9 hl=2 l= 14 cons: SEQUENCE 3017:d=10 hl=2 l= 8 prim: OBJECT :rc2-cbc 3027:d=10 hl=2 l= 2 prim: INTEGER :80 3031:d=9 hl=2 l= 13 cons: SEQUENCE 3033:d=10 hl=2 l= 8 prim: OBJECT :rc2-cbc 3043:d=10 hl=2 l= 1 prim: INTEGER :40 3046:d=9 hl=2 l= 7 cons: SEQUENCE 3048:d=10 hl=2 l= 5 prim: OBJECT :des-cbc 3055:d=9 hl=2 l= 13 cons: SEQUENCE 3057:d=10 hl=2 l= 8 prim: OBJECT :rc2-cbc 3067:d=10 hl=2 l= 1 prim: INTEGER :28 3070:d=5 hl=2 l= 62 cons: SEQUENCE 3072:d=6 hl=2 l= 9 prim: OBJECT :rsassaPss 3083:d=6 hl=2 l= 49 cons: SEQUENCE 3085:d=7 hl=2 l= 13 cons: cont [ 0 ] 3087:d=8 hl=2 l= 11 cons: SEQUENCE 3089:d=9 hl=2 l= 9 prim: OBJECT :sha256 3100:d=7 hl=2 l= 26 cons: cont [ 1 ] 3102:d=8 hl=2 l= 24 cons: SEQUENCE 3104:d=9 hl=2 l= 9 prim: OBJECT :mgf1 3115:d=9 hl=2 l= 11 cons: SEQUENCE 3117:d=10 hl=2 l= 9 prim: OBJECT :sha256 3128:d=7 hl=2 l= 4 cons: cont [ 2 ] 3130:d=8 hl=2 l= 2 prim: INTEGER :DE 3134:d=5 hl=4 l= 256 prim: OCTET STRING [HEX DUMP]:66C7A406905E0BEF3BE8A55B8BA05915020B6960BDE4700C3C3FB2F115FE5BA60B453EFF39BA37E4D16CA3A86582B3057D05875766BE99C51BC5BEC9CD1AAE3BEC34943160BB06784209F1A3773E07A101BA3E2231FDF85FAB91872A081E37410905A09DAF530600BF9099B054B1DF869826E864A95F5D55DAE84A0CEC43E52F6D13574E1EF66A4E3A65883788E265D6C174211ADBCFEA96A9DD186887BFE040D6D0B59547D8763157D322F0307D7AF3123B0ECFB11E1E7EA228861F4363DBA8D478A7E44F1DEB77A3904FBD90CAA41E291A2E094ABCBD5134146FB1C0F42BC8D7B4829DEFEE7BACDFC024FB8B9FAF16F225EB3C96D866C535B2A06E83DCF007 Thanks, Thulasi. On Sat, 20 Feb 2021 at 00:40, Alon Bar-Lev <[hidden email]> wrote:
|
Re: openssl cms resign with RSA-PSS corrupts the CMS(?)
|
|
Thanks. I managed to narrow this, it is not related to pss also if I pass pkcs1 I can reproduce. It has something to do with CMS_KEY_PARAM flag and add signer. On Fri, 19 Feb 2021 at 22:03 Thulasi Goriparthi <[hidden email]> wrote:
|
Re: openssl cms resign with RSA-PSS corrupts the CMS(?)
|
|
Hi,
I am trying to analyze openssl sources, and it looks like the resign is implemented in an naive path that does not handle all cases. In other words, the CMS resign is not working in any case other than the default execution path. For example the -noattr is also not working. I updated my reproduction project[1] to show all cases of resign that do not work CMS_NO_ATTR, CMS_KEY_PARAM. I believe the root cause is that when resign is executed the CMS_final() is not called and instead the i2d_CMS_bio() is called, while its logic is incomplete. I hope this will ring a bell to people who are maintaining the crypto/cms/* implementation. Tested [fails] with: OpenSSL_1_1_1-stable master Regards, Alon [1] https://github.com/alonbl/openssl-cms-pss On Fri, Feb 19, 2021 at 10:06 PM Alon Bar-Lev <[hidden email]> wrote: > > Thanks. > I managed to narrow this, it is not related to pss also if I pass pkcs1 I can reproduce. It has something to do with CMS_KEY_PARAM flag and add signer. > > On Fri, 19 Feb 2021 at 22:03 Thulasi Goriparthi <[hidden email]> wrote: >> >> With PSS, for the first signature, PSS alg ID and params are encoded correctly, but not for the second signature(resign). >> >> 2542:d=7 hl=2 l= 9 prim: OBJECT :S/MIME Capabilities >> >> 2553:d=7 hl=2 l= 108 cons: SET >> >> 2555:d=8 hl=2 l= 106 cons: SEQUENCE >> >> 2557:d=9 hl=2 l= 11 cons: SEQUENCE >> >> 2559:d=10 hl=2 l= 9 prim: OBJECT :aes-256-cbc >> >> 2570:d=9 hl=2 l= 11 cons: SEQUENCE >> >> 2572:d=10 hl=2 l= 9 prim: OBJECT :aes-192-cbc >> >> 2583:d=9 hl=2 l= 11 cons: SEQUENCE >> >> 2585:d=10 hl=2 l= 9 prim: OBJECT :aes-128-cbc >> >> 2596:d=9 hl=2 l= 10 cons: SEQUENCE >> >> 2598:d=10 hl=2 l= 8 prim: OBJECT :des-ede3-cbc >> >> 2608:d=9 hl=2 l= 14 cons: SEQUENCE >> >> 2610:d=10 hl=2 l= 8 prim: OBJECT :rc2-cbc >> >> 2620:d=10 hl=2 l= 2 prim: INTEGER :80 >> >> 2624:d=9 hl=2 l= 13 cons: SEQUENCE >> >> 2626:d=10 hl=2 l= 8 prim: OBJECT :rc2-cbc >> >> 2636:d=10 hl=2 l= 1 prim: INTEGER :40 >> >> 2639:d=9 hl=2 l= 7 cons: SEQUENCE >> >> 2641:d=10 hl=2 l= 5 prim: OBJECT :des-cbc >> >> 2648:d=9 hl=2 l= 13 cons: SEQUENCE >> >> 2650:d=10 hl=2 l= 8 prim: OBJECT :rc2-cbc >> >> 2660:d=10 hl=2 l= 1 prim: INTEGER :28 >> >> 2663:d=5 hl=2 l= 0 cons: SEQUENCE >> >> 2665:d=5 hl=2 l= 0 prim: OCTET STRING >> >> 2667:d=4 hl=4 l= 723 cons: SEQUENCE >> >> 2671:d=5 hl=2 l= 1 prim: INTEGER :01 >> >> 2674:d=5 hl=3 l= 149 cons: SEQUENCE >> >> 2677:d=6 hl=3 l= 143 cons: SEQUENCE >> >> 2680:d=7 hl=2 l= 11 cons: SET >> >> 2682:d=8 hl=2 l= 9 cons: SEQUENCE >> >> 2684:d=9 hl=2 l= 3 prim: OBJECT :countryName >> >> 2689:d=9 hl=2 l= 2 prim: PRINTABLESTRING :IN >> >> 2693:d=7 hl=2 l= 11 cons: SET >> >> ==multiple lines truncated== >> >> 2949:d=7 hl=2 l= 9 prim: OBJECT :S/MIME Capabilities >> >> 2960:d=7 hl=2 l= 108 cons: SET >> >> 2962:d=8 hl=2 l= 106 cons: SEQUENCE >> >> 2964:d=9 hl=2 l= 11 cons: SEQUENCE >> >> 2966:d=10 hl=2 l= 9 prim: OBJECT :aes-256-cbc >> >> 2977:d=9 hl=2 l= 11 cons: SEQUENCE >> >> 2979:d=10 hl=2 l= 9 prim: OBJECT :aes-192-cbc >> >> 2990:d=9 hl=2 l= 11 cons: SEQUENCE >> >> 2992:d=10 hl=2 l= 9 prim: OBJECT :aes-128-cbc >> >> 3003:d=9 hl=2 l= 10 cons: SEQUENCE >> >> 3005:d=10 hl=2 l= 8 prim: OBJECT :des-ede3-cbc >> >> 3015:d=9 hl=2 l= 14 cons: SEQUENCE >> >> 3017:d=10 hl=2 l= 8 prim: OBJECT :rc2-cbc >> >> 3027:d=10 hl=2 l= 2 prim: INTEGER :80 >> >> 3031:d=9 hl=2 l= 13 cons: SEQUENCE >> >> 3033:d=10 hl=2 l= 8 prim: OBJECT :rc2-cbc >> >> 3043:d=10 hl=2 l= 1 prim: INTEGER :40 >> >> 3046:d=9 hl=2 l= 7 cons: SEQUENCE >> >> 3048:d=10 hl=2 l= 5 prim: OBJECT :des-cbc >> >> 3055:d=9 hl=2 l= 13 cons: SEQUENCE >> >> 3057:d=10 hl=2 l= 8 prim: OBJECT :rc2-cbc >> >> 3067:d=10 hl=2 l= 1 prim: INTEGER :28 >> >> 3070:d=5 hl=2 l= 62 cons: SEQUENCE >> >> 3072:d=6 hl=2 l= 9 prim: OBJECT :rsassaPss >> >> 3083:d=6 hl=2 l= 49 cons: SEQUENCE >> >> 3085:d=7 hl=2 l= 13 cons: cont [ 0 ] >> >> 3087:d=8 hl=2 l= 11 cons: SEQUENCE >> >> 3089:d=9 hl=2 l= 9 prim: OBJECT :sha256 >> >> 3100:d=7 hl=2 l= 26 cons: cont [ 1 ] >> >> 3102:d=8 hl=2 l= 24 cons: SEQUENCE >> >> 3104:d=9 hl=2 l= 9 prim: OBJECT :mgf1 >> >> 3115:d=9 hl=2 l= 11 cons: SEQUENCE >> >> 3117:d=10 hl=2 l= 9 prim: OBJECT :sha256 >> >> 3128:d=7 hl=2 l= 4 cons: cont [ 2 ] >> >> 3130:d=8 hl=2 l= 2 prim: INTEGER :DE >> >> 3134:d=5 hl=4 l= 256 prim: OCTET STRING [HEX DUMP]:66C7A406905E0BEF3BE8A55B8BA05915020B6960BDE4700C3C3FB2F115FE5BA60B453EFF39BA37E4D16CA3A86582B3057D05875766BE99C51BC5BEC9CD1AAE3BEC34943160BB06784209F1A3773E07A101BA3E2231FDF85FAB91872A081E37410905A09DAF530600BF9099B054B1DF869826E864A95F5D55DAE84A0CEC43E52F6D13574E1EF66A4E3A65883788E265D6C174211ADBCFEA96A9DD186887BFE040D6D0B59547D8763157D322F0307D7AF3123B0ECFB11E1E7EA228861F4363DBA8D478A7E44F1DEB77A3904FBD90CAA41E291A2E094ABCBD5134146FB1C0F42BC8D7B4829DEFEE7BACDFC024FB8B9FAF16F225EB3C96D866C535B2A06E83DCF007 >> >> >> Thanks, >> >> Thulasi. >> >> >> >> On Sat, 20 Feb 2021 at 00:40, Alon Bar-Lev <[hidden email]> wrote: >>> >>> Thanks! >>> Was about to write... I tested both 1.1 and master branches and result is the same. >>> >>> >>> On Fri, 19 Feb 2021 at 21:04 Thulasi Goriparthi <[hidden email]> wrote: >>>> >>>> I am able to reproduce this issue with 1.1.1j too. >>>> >>>> openssl version -a >>>> >>>> OpenSSL 1.1.1j 16 Feb 2021 >>>> >>>> built on: Fri Feb 19 18:56:06 2021 UTC >>>> >>>> platform: darwin64-x86_64-cc >>>> >>>> options: bn(64,64) rc4(16x,int) des(int) idea(int) blowfish(ptr) >>>> >>>> compiler: cc -fPIC -arch x86_64 -g -Wall -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -D_REENTRANT -DNDEBUG >>>> >>>> OPENSSLDIR: "/usr/local/ssl" >>>> >>>> ENGINESDIR: "/usr/local/lib/engines-1.1" >>>> >>>> Seeding source: os-specific >>>> >>>> >>>> openssl cms -sign -in msg -text -signer cert1.pem -out 1.cms -keyopt rsa_padding_mode:pss >>>> >>>> openssl cms -verify -in 1.cms -CAfile ca.pem >>>> >>>> Content-Type: text/plain >>>> >>>> >>>> hello world >>>> >>>> Verification successful >>>> >>>> openssl cms -resign -in 1.cms -signer cert2.pem -out 2.cms -keyopt rsa_padding_mode:pss >>>> >>>> openssl cms -verify -in 2.cms -CAfile ca.pem >>>> >>>> Error reading S/MIME message >>>> >>>> 4757167552:error:0D078079:asn1 encoding routines:asn1_item_embed_d2i:field missing:crypto/asn1/tasn_dec.c:425:Field=algorithm, Type=X509_ALGOR >>>> >>>> 4757167552:error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:crypto/asn1/tasn_dec.c:646:Field=signatureAlgorithm, Type=CMS_SignerInfo >>>> >>>> 4757167552:error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:crypto/asn1/tasn_dec.c:615:Field=signerInfos, Type=CMS_SignedData >>>> >>>> 4757167552:error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:crypto/asn1/tasn_dec.c:646: >>>> >>>> 4757167552:error:0D08403A:asn1 encoding routines:asn1_template_ex_d2i:nested asn1 error:crypto/asn1/tasn_dec.c:496:Field=d.signedData, Type=CMS_ContentInfo >>>> >>>> 4757167552:error:0D0D106E:asn1 encoding routines:b64_read_asn1:decode error:crypto/asn1/asn_mime.c:143: >>>> >>>> 4757167552:error:0D0D40CC:asn1 encoding routines:SMIME_read_ASN1:asn1 sig parse error:crypto/asn1/asn_mime.c:451: >>>> >>>> >>>> Thanks, >>>> >>>> Thulasi. >>>> >>>> >>>> On Sat, 20 Feb 2021 at 00:09, Viktor Dukhovni <[hidden email]> wrote: >>>>> >>>>> On Fri, Feb 19, 2021 at 11:19:42PM +0530, Thulasi Goriparthi wrote: >>>>> >>>>> > I am able to reproduce this issue with 1.1.1i >>>>> >>>>> OpenSSL 1.1.1j has been released. Do you still see the problem with >>>>> 1.1.1j? >>>>> >>>>> -- >>>>> Viktor. |
Re: openssl cms resign with RSA-PSS corrupts the CMS(?)
|
|
Would you mind to raise the issue on GitHub with the reproduction? On Fri, 19 Feb 2021, 21:44 Alon Bar-Lev, <[hidden email]> wrote: Hi, |
Re: openssl cms resign with RSA-PSS corrupts the CMS(?)
|
|
Done[1]
[1] https://github.com/openssl/openssl/issues/14257 On Fri, Feb 19, 2021 at 11:09 PM Dmitry Belyavsky <[hidden email]> wrote: > > Would you mind to raise the issue on GitHub with the reproduction? > > On Fri, 19 Feb 2021, 21:44 Alon Bar-Lev, <[hidden email]> wrote: >> >> Hi, >> >> I am trying to analyze openssl sources, and it looks like the resign >> is implemented in an naive path that does not handle all cases. >> >> In other words, the CMS resign is not working in any case other than >> the default execution path. >> >> For example the -noattr is also not working. >> >> I updated my reproduction project[1] to show all cases of resign that >> do not work CMS_NO_ATTR, CMS_KEY_PARAM. >> >> I believe the root cause is that when resign is executed the >> CMS_final() is not called and instead the i2d_CMS_bio() is called, >> while its logic is incomplete. >> >> I hope this will ring a bell to people who are maintaining the >> crypto/cms/* implementation. >> >> Tested [fails] with: >> OpenSSL_1_1_1-stable >> master >> >> Regards, >> Alon >> >> [1] https://github.com/alonbl/openssl-cms-pss >> >> On Fri, Feb 19, 2021 at 10:06 PM Alon Bar-Lev <[hidden email]> wrote: >> > >> > Thanks. >> > I managed to narrow this, it is not related to pss also if I pass pkcs1 I can reproduce. It has something to do with CMS_KEY_PARAM flag and add signer. >> > >> > On Fri, 19 Feb 2021 at 22:03 Thulasi Goriparthi <[hidden email]> wrote: >> >> >> >> With PSS, for the first signature, PSS alg ID and params are encoded correctly, but not for the second signature(resign). >> >> >> >> 2542:d=7 hl=2 l= 9 prim: OBJECT :S/MIME Capabilities >> >> >> >> 2553:d=7 hl=2 l= 108 cons: SET >> >> >> >> 2555:d=8 hl=2 l= 106 cons: SEQUENCE >> >> >> >> 2557:d=9 hl=2 l= 11 cons: SEQUENCE >> >> >> >> 2559:d=10 hl=2 l= 9 prim: OBJECT :aes-256-cbc >> >> >> >> 2570:d=9 hl=2 l= 11 cons: SEQUENCE >> >> >> >> 2572:d=10 hl=2 l= 9 prim: OBJECT :aes-192-cbc >> >> >> >> 2583:d=9 hl=2 l= 11 cons: SEQUENCE >> >> >> >> 2585:d=10 hl=2 l= 9 prim: OBJECT :aes-128-cbc >> >> >> >> 2596:d=9 hl=2 l= 10 cons: SEQUENCE >> >> >> >> 2598:d=10 hl=2 l= 8 prim: OBJECT :des-ede3-cbc >> >> >> >> 2608:d=9 hl=2 l= 14 cons: SEQUENCE >> >> >> >> 2610:d=10 hl=2 l= 8 prim: OBJECT :rc2-cbc >> >> >> >> 2620:d=10 hl=2 l= 2 prim: INTEGER :80 >> >> >> >> 2624:d=9 hl=2 l= 13 cons: SEQUENCE >> >> >> >> 2626:d=10 hl=2 l= 8 prim: OBJECT :rc2-cbc >> >> >> >> 2636:d=10 hl=2 l= 1 prim: INTEGER :40 >> >> >> >> 2639:d=9 hl=2 l= 7 cons: SEQUENCE >> >> >> >> 2641:d=10 hl=2 l= 5 prim: OBJECT :des-cbc >> >> >> >> 2648:d=9 hl=2 l= 13 cons: SEQUENCE >> >> >> >> 2650:d=10 hl=2 l= 8 prim: OBJECT :rc2-cbc >> >> >> >> 2660:d=10 hl=2 l= 1 prim: INTEGER :28 >> >> >> >> 2663:d=5 hl=2 l= 0 cons: SEQUENCE >> >> >> >> 2665:d=5 hl=2 l= 0 prim: OCTET STRING >> >> >> >> 2667:d=4 hl=4 l= 723 cons: SEQUENCE >> >> >> >> 2671:d=5 hl=2 l= 1 prim: INTEGER :01 >> >> >> >> 2674:d=5 hl=3 l= 149 cons: SEQUENCE >> >> >> >> 2677:d=6 hl=3 l= 143 cons: SEQUENCE >> >> >> >> 2680:d=7 hl=2 l= 11 cons: SET >> >> >> >> 2682:d=8 hl=2 l= 9 cons: SEQUENCE >> >> >> >> 2684:d=9 hl=2 l= 3 prim: OBJECT :countryName >> >> >> >> 2689:d=9 hl=2 l= 2 prim: PRINTABLESTRING :IN >> >> >> >> 2693:d=7 hl=2 l= 11 cons: SET >> >> >> >> ==multiple lines truncated== >> >> >> >> 2949:d=7 hl=2 l= 9 prim: OBJECT :S/MIME Capabilities >> >> >> >> 2960:d=7 hl=2 l= 108 cons: SET >> >> >> >> 2962:d=8 hl=2 l= 106 cons: SEQUENCE >> >> >> >> 2964:d=9 hl=2 l= 11 cons: SEQUENCE >> >> >> >> 2966:d=10 hl=2 l= 9 prim: OBJECT :aes-256-cbc >> >> >> >> 2977:d=9 hl=2 l= 11 cons: SEQUENCE >> >> >> >> 2979:d=10 hl=2 l= 9 prim: OBJECT :aes-192-cbc >> >> >> >> 2990:d=9 hl=2 l= 11 cons: SEQUENCE >> >> >> >> 2992:d=10 hl=2 l= 9 prim: OBJECT :aes-128-cbc >> >> >> >> 3003:d=9 hl=2 l= 10 cons: SEQUENCE >> >> >> >> 3005:d=10 hl=2 l= 8 prim: OBJECT :des-ede3-cbc >> >> >> >> 3015:d=9 hl=2 l= 14 cons: SEQUENCE >> >> >> >> 3017:d=10 hl=2 l= 8 prim: OBJECT :rc2-cbc >> >> >> >> 3027:d=10 hl=2 l= 2 prim: INTEGER :80 >> >> >> >> 3031:d=9 hl=2 l= 13 cons: SEQUENCE >> >> >> >> 3033:d=10 hl=2 l= 8 prim: OBJECT :rc2-cbc >> >> >> >> 3043:d=10 hl=2 l= 1 prim: INTEGER :40 >> >> >> >> 3046:d=9 hl=2 l= 7 cons: SEQUENCE >> >> >> >> 3048:d=10 hl=2 l= 5 prim: OBJECT :des-cbc >> >> >> >> 3055:d=9 hl=2 l= 13 cons: SEQUENCE >> >> >> >> 3057:d=10 hl=2 l= 8 prim: OBJECT :rc2-cbc >> >> >> >> 3067:d=10 hl=2 l= 1 prim: INTEGER :28 >> >> >> >> 3070:d=5 hl=2 l= 62 cons: SEQUENCE >> >> >> >> 3072:d=6 hl=2 l= 9 prim: OBJECT :rsassaPss >> >> >> >> 3083:d=6 hl=2 l= 49 cons: SEQUENCE >> >> >> >> 3085:d=7 hl=2 l= 13 cons: cont [ 0 ] >> >> >> >> 3087:d=8 hl=2 l= 11 cons: SEQUENCE >> >> >> >> 3089:d=9 hl=2 l= 9 prim: OBJECT :sha256 >> >> >> >> 3100:d=7 hl=2 l= 26 cons: cont [ 1 ] >> >> >> >> 3102:d=8 hl=2 l= 24 cons: SEQUENCE >> >> >> >> 3104:d=9 hl=2 l= 9 prim: OBJECT :mgf1 >> >> >> >> 3115:d=9 hl=2 l= 11 cons: SEQUENCE >> >> >> >> 3117:d=10 hl=2 l= 9 prim: OBJECT :sha256 >> >> >> >> 3128:d=7 hl=2 l= 4 cons: cont [ 2 ] >> >> >> >> 3130:d=8 hl=2 l= 2 prim: INTEGER :DE >> >> >> >> 3134:d=5 hl=4 l= 256 prim: OCTET STRING [HEX DUMP]:66C7A406905E0BEF3BE8A55B8BA05915020B6960BDE4700C3C3FB2F115FE5BA60B453EFF39BA37E4D16CA3A86582B3057D05875766BE99C51BC5BEC9CD1AAE3BEC34943160BB06784209F1A3773E07A101BA3E2231FDF85FAB91872A081E37410905A09DAF530600BF9099B054B1DF869826E864A95F5D55DAE84A0CEC43E52F6D13574E1EF66A4E3A65883788E265D6C174211ADBCFEA96A9DD186887BFE040D6D0B59547D8763157D322F0307D7AF3123B0ECFB11E1E7EA228861F4363DBA8D478A7E44F1DEB77A3904FBD90CAA41E291A2E094ABCBD5134146FB1C0F42BC8D7B4829DEFEE7BACDFC024FB8B9FAF16F225EB3C96D866C535B2A06E83DCF007 >> >> >> >> >> >> Thanks, >> >> >> >> Thulasi. >> >> >> >> >> >> >> >> On Sat, 20 Feb 2021 at 00:40, Alon Bar-Lev <[hidden email]> wrote: >> >>> >> >>> Thanks! >> >>> Was about to write... I tested both 1.1 and master branches and result is the same. >> >>> >> >>> >> >>> On Fri, 19 Feb 2021 at 21:04 Thulasi Goriparthi <[hidden email]> wrote: >> >>>> >> >>>> I am able to reproduce this issue with 1.1.1j too. >> >>>> >> >>>> openssl version -a >> >>>> >> >>>> OpenSSL 1.1.1j 16 Feb 2021 >> >>>> >> >>>> built on: Fri Feb 19 18:56:06 2021 UTC >> >>>> >> >>>> platform: darwin64-x86_64-cc >> >>>> >> >>>> options: bn(64,64) rc4(16x,int) des(int) idea(int) blowfish(ptr) >> >>>> >> >>>> compiler: cc -fPIC -arch x86_64 -g -Wall -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -D_REENTRANT -DNDEBUG >> >>>> >> >>>> OPENSSLDIR: "/usr/local/ssl" >> >>>> >> >>>> ENGINESDIR: "/usr/local/lib/engines-1.1" >> >>>> >> >>>> Seeding source: os-specific >> >>>> >> >>>> >> >>>> openssl cms -sign -in msg -text -signer cert1.pem -out 1.cms -keyopt rsa_padding_mode:pss >> >>>> >> >>>> openssl cms -verify -in 1.cms -CAfile ca.pem >> >>>> >> >>>> Content-Type: text/plain >> >>>> >> >>>> >> >>>> hello world >> >>>> >> >>>> Verification successful >> >>>> >> >>>> openssl cms -resign -in 1.cms -signer cert2.pem -out 2.cms -keyopt rsa_padding_mode:pss >> >>>> >> >>>> openssl cms -verify -in 2.cms -CAfile ca.pem >> >>>> >> >>>> Error reading S/MIME message >> >>>> >> >>>> 4757167552:error:0D078079:asn1 encoding routines:asn1_item_embed_d2i:field missing:crypto/asn1/tasn_dec.c:425:Field=algorithm, Type=X509_ALGOR >> >>>> >> >>>> 4757167552:error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:crypto/asn1/tasn_dec.c:646:Field=signatureAlgorithm, Type=CMS_SignerInfo >> >>>> >> >>>> 4757167552:error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:crypto/asn1/tasn_dec.c:615:Field=signerInfos, Type=CMS_SignedData >> >>>> >> >>>> 4757167552:error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:crypto/asn1/tasn_dec.c:646: >> >>>> >> >>>> 4757167552:error:0D08403A:asn1 encoding routines:asn1_template_ex_d2i:nested asn1 error:crypto/asn1/tasn_dec.c:496:Field=d.signedData, Type=CMS_ContentInfo >> >>>> >> >>>> 4757167552:error:0D0D106E:asn1 encoding routines:b64_read_asn1:decode error:crypto/asn1/asn_mime.c:143: >> >>>> >> >>>> 4757167552:error:0D0D40CC:asn1 encoding routines:SMIME_read_ASN1:asn1 sig parse error:crypto/asn1/asn_mime.c:451: >> >>>> >> >>>> >> >>>> Thanks, >> >>>> >> >>>> Thulasi. >> >>>> >> >>>> >> >>>> On Sat, 20 Feb 2021 at 00:09, Viktor Dukhovni <[hidden email]> wrote: >> >>>>> >> >>>>> On Fri, Feb 19, 2021 at 11:19:42PM +0530, Thulasi Goriparthi wrote: >> >>>>> >> >>>>> > I am able to reproduce this issue with 1.1.1i >> >>>>> >> >>>>> OpenSSL 1.1.1j has been released. Do you still see the problem with >> >>>>> 1.1.1j? >> >>>>> >> >>>>> -- >> >>>>> Viktor. |
| Free forum by Nabble | Edit this page |