rsaOAEP OID in X509 certificate

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
15 messages Options
Reply | Threaded
Open this post in threaded view
|

rsaOAEP OID in X509 certificate

hardeves
Hello all,

By default, if I create an X 509 certificate with a public key in it, the
object identifier is rsaEncyption (1.2.840.113549.1.1.1). Is it possible to
specify a different object identifier, e.g. rsaOAEP (1.2.840.113549.1.1.7)?
I looked into the various EVP_PKEY and EVP_PKEY_CTX functions, and other
places in code, but the only place this object ID is specified is in
obj_dat.h, and not used anywhere else (as far as I can see...)

Regards,
Stephane van Hardeveld

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: rsaOAEP OID in X509 certificate

Ken Goldman-2
1 - If you are trying to extract the public key, X509_get_pubkey() won't
work.  I have sample code to do it.  Let me know if you want the
complete function.

Basically:

        X509_get_X509_PUBKEY
        X509_PUBKEY_get0_param
        d2i_RSAPublicKey

2 - If you are trying to verify a certificate chain, it does not work
with openssl 1.1.  You have to stay at 1.0 until someone (perhaps me)
submits a fix.

~~~~~~~~~~~~~

BTW, the only time I ever saw rsaAOEP was for TPM 1.2 EK certificates.
If you're working with the TPM, I can supply a lot of sample code.

On 8/8/2018 12:01 PM, Stephane van Hardeveld wrote:

> Hello all,
>
> By default, if I create an X 509 certificate with a public key in it, the
> object identifier is rsaEncyption (1.2.840.113549.1.1.1). Is it possible to
> specify a different object identifier, e.g. rsaOAEP (1.2.840.113549.1.1.7)?
> I looked into the various EVP_PKEY and EVP_PKEY_CTX functions, and other
> places in code, but the only place this object ID is specified is in
> obj_dat.h, and not used anywhere else (as far as I can see...)
>
> Regards,
> Stephane van Hardeveld
>


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: rsaOAEP OID in X509 certificate

hardeves
Hi Ken,

I am trying to do two thing:
1: Generate X 509 certificates, with RSA-PSS signing, with different Hashing
and Masking (SHA1 and SHA256), including an RSA Public key as content. This
RSA 'content key' should specify it will be used for RSA-OAEP decryption.
2: Verify X 509 certificates, produced by other tools, which have the same
format

Currently, I am able to:
- create a X 509 certificate with the different hashing and masking
algorithms, but only with standard RSA Encryption OID. Verification of these
certificates succeeds, and X509_get_pubkey() works as expected
- Verify a X 509 certificate which is generated by a different tool, with
SHA256 hashing and masking and RSA OAEP OID. Verification succeeds, but
indeed, X509_get_pubkey fails (unknown algorithm I believe). I am able to
retrieve the public key via
        ASN1_BIT_STRING *asnPubKey = X509_get0_pubkey_bitstr(x);
        unsigned char* pblob = asnPubKey->data;
And then parsing the ASN myself. Will test your solution as well, seems a
bit more robust ;-)

One other thing I encountered: if wincrypt is used as certificate generator,
it creates a valid certificate when using SHA1 as hashing and masking
algorithm, but the signing seems to go wrong: openssl X509_verify reports
'first octet invalid'. Any idea if this is an issue with wincrypt? If using
SHA256 as hashing and masking, the resulting ASN is invalid (sizes are not
correct), openssl still can read it, and still reports the same 'first octet
invalid' error.
Verification of the signing itself is than already ok, right?

Regards,
Stephane

> -----Original Message-----
> From: openssl-users [mailto:[hidden email]] On Behalf
> Of Ken Goldman
> Sent: woensdag 8 augustus 2018 19:21
> To: [hidden email]
> Subject: Re: [openssl-users] rsaOAEP OID in X509 certificate
>
> 1 - If you are trying to extract the public key, X509_get_pubkey() won't
> work.  I have sample code to do it.  Let me know if you want the
> complete function.
>
> Basically:
>
> X509_get_X509_PUBKEY
> X509_PUBKEY_get0_param
> d2i_RSAPublicKey
>
> 2 - If you are trying to verify a certificate chain, it does not work
> with openssl 1.1.  You have to stay at 1.0 until someone (perhaps me)
> submits a fix.
>
> ~~~~~~~~~~~~~
>
> BTW, the only time I ever saw rsaAOEP was for TPM 1.2 EK certificates.
> If you're working with the TPM, I can supply a lot of sample code.
>
> On 8/8/2018 12:01 PM, Stephane van Hardeveld wrote:
> > Hello all,
> >
> > By default, if I create an X 509 certificate with a public key in it,
the
> > object identifier is rsaEncyption (1.2.840.113549.1.1.1). Is it possible
to
> > specify a different object identifier, e.g. rsaOAEP
(1.2.840.113549.1.1.7)?

> > I looked into the various EVP_PKEY and EVP_PKEY_CTX functions, and
> other
> > places in code, but the only place this object ID is specified is in
> > obj_dat.h, and not used anywhere else (as far as I can see...)
> >
> > Regards,
> > Stephane van Hardeveld
> >
>
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: rsaOAEP OID in X509 certificate

Ken Goldman-2
On 8/9/2018 4:14 AM, Stephane van Hardeveld wrote:
> Hi Ken,
>
> I am trying to do two thing:
> 1: Generate X 509 certificates, with RSA-PSS signing, with different Hashing
> and Masking (SHA1 and SHA256), including an RSA Public key as content. This
> RSA 'content key' should specify it will be used for RSA-OAEP decryption.
> 2: Verify X 509 certificates, produced by other tools, which have the same
> format

Do you really have to use a non-standard OID for the public key?

If you do, you will be creating a certificate that cannot be parsed by
openssl, Java's crypto library, and perhaps others.  Your users will
have to write custom code to validate the certificate and to extract the
public key.

In addition, you'll need custom CA code to create the certificates.

I worry that custom crypto code can open attack surfaces compared
to using well tested standards.  Parsing DER securely is known to be
hard.


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: rsaOAEP OID in X509 certificate

hardeves
> -----Original Message-----

> From: openssl-users [mailto:[hidden email]] On Behalf
> Of Ken Goldman
> Sent: donderdag 9 augustus 2018 14:56
> To: [hidden email]
> Subject: Re: [openssl-users] rsaOAEP OID in X509 certificate
>
> On 8/9/2018 4:14 AM, Stephane van Hardeveld wrote:
> > Hi Ken,
> >
> > I am trying to do two thing:
> > 1: Generate X 509 certificates, with RSA-PSS signing, with different
Hashing
> > and Masking (SHA1 and SHA256), including an RSA Public key as content.
> This
> > RSA 'content key' should specify it will be used for RSA-OAEP
decryption.
> > 2: Verify X 509 certificates, produced by other tools, which have the
same

> > format
>
> Do you really have to use a non-standard OID for the public key?
>
> If you do, you will be creating a certificate that cannot be parsed by
> openssl, Java's crypto library, and perhaps others.  Your users will
> have to write custom code to validate the certificate and to extract the
> public key.
>
> In addition, you'll need custom CA code to create the certificates.
>
> I worry that custom crypto code can open attack surfaces compared
> to using well tested standards.  Parsing DER securely is known to be
> hard.
>
>
Hi Ken,

I will discuss this, but as far as I understand, these OID are allowed by
the X 509 standard:
4.1.2.7.  Subject Public Key Info

   This field is used to carry the public key and identify the algorithm
   with which the key is used (e.g., RSA, DSA, or Diffie-Hellman).  The
   algorithm is identified using the AlgorithmIdentifier structure
   specified in Section 4.1.1.2.  The object identifiers for the
   supported algorithms and the methods for encoding the public key
   materials (public key and parameters) are specified in [RFC3279],
   [RFC4055], and [RFC4491].

And in rfc4055, 4.1

 Openssl is capable of parsing it, only retrieving it gives an error on
unknown algorithm (which is correct, since only rsaEncryption OID is
recognized). Java I did not try yet, but the online ASN.1 parsers were also
capable of decoding it, see enclosed png.

Regards,
Stephane

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

certificate_asndecoded.png (78K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: rsaOAEP OID in X509 certificate

Ken Goldman-2
On 8/9/2018 10:51 AM, Stephane van Hardeveld wrote:

>
> I will discuss this, but as far as I understand, these OID are allowed by
> the X 509 standard:
> 4.1.2.7.  Subject Public Key Info
>
>  [snip]
>
> And in rfc4055, 4.1
>
>   Openssl is capable of parsing it, only retrieving it gives an error on
> unknown algorithm (which is correct, since only rsaEncryption OID is
> recognized). Java I did not try yet, but the online ASN.1 parsers were also
> capable of decoding it, see enclosed png.

I understand that the X509 standard permits it.

However, I'm looking at the practical side - crypto libraries.

If openssl, Java, etc. can't use the results, and a typical CA can't
create the certificate, then you require custom code.

The drawback is that custom code, especially DER parsing code, is a
security risk.  It's hard to get correct when facing an attacker sending
malformed certificates.

You have to decide whether the benefit to this "meets the X509 standard
but isn't supported" OID is worth the potential for an exploitable bug.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: rsaOAEP OID in X509 certificate

hardeves


> -----Original Message-----
> From: openssl-users [mailto:[hidden email]] On Behalf
> Of Ken Goldman
> Sent: donderdag 9 augustus 2018 18:52
> To: [hidden email]
> Subject: Re: [openssl-users] rsaOAEP OID in X509 certificate
>
> On 8/9/2018 10:51 AM, Stephane van Hardeveld wrote:
> >
> > I will discuss this, but as far as I understand, these OID are allowed
by

> > the X 509 standard:
> > 4.1.2.7.  Subject Public Key Info
> >
> >  [snip]
> >
> > And in rfc4055, 4.1
> >
> >   Openssl is capable of parsing it, only retrieving it gives an error on
> > unknown algorithm (which is correct, since only rsaEncryption OID is
> > recognized). Java I did not try yet, but the online ASN.1 parsers were
also

> > capable of decoding it, see enclosed png.
>
> I understand that the X509 standard permits it.
>
> However, I'm looking at the practical side - crypto libraries.
>
> If openssl, Java, etc. can't use the results, and a typical CA can't
> create the certificate, then you require custom code.
>
> The drawback is that custom code, especially DER parsing code, is a
> security risk.  It's hard to get correct when facing an attacker sending
> malformed certificates.
>
> You have to decide whether the benefit to this "meets the X509 standard
> but isn't supported" OID is worth the potential for an exploitable bug.
>
Ah, yes. The practical world. Always a bummer.
But good point anyways.

Thanks for shedding some light on this issue

Regards,
Stephane

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: rsaOAEP OID in X509 certificate

Viktor Dukhovni
In reply to this post by hardeves


> On Aug 8, 2018, at 12:01 PM, Stephane van Hardeveld <[hidden email]> wrote:
>
> By default, if I create an X 509 certificate with a public key in it, the
> object identifier is rsaEncyption (1.2.840.113549.1.1.1). Is it possible to
> specify a different object identifier, e.g. rsaOAEP (1.2.840.113549.1.1.7)?
> I looked into the various EVP_PKEY and EVP_PKEY_CTX functions, and other
> places in code, but the only place this object ID is specified is in
> obj_dat.h, and not used anywhere else (as far as I can see...)

This request is a bit puzzling, since OAEP is a padding mode for RSA
*encryption*, not RSA signatures.  For the latter, once typically
goes with PSS if one wants a more modern signature scheme.

OpenSSL supports OAEP for RSA encryption (e.g. in CMS), but in X.509,
where the task at hand is signing...  So it is not clear that what
you're looking for makes sense.

--
        Viktor.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: rsaOAEP OID in X509 certificate

hardeves


> -----Original Message-----
> From: openssl-users [mailto:[hidden email]] On Behalf
> Of Viktor Dukhovni
> Sent: donderdag 9 augustus 2018 21:05
> To: [hidden email]
> Subject: Re: [openssl-users] rsaOAEP OID in X509 certificate
>
>
>
> > On Aug 8, 2018, at 12:01 PM, Stephane van Hardeveld
> <[hidden email]> wrote:
> >
> > By default, if I create an X 509 certificate with a public key in it,
the
> > object identifier is rsaEncyption (1.2.840.113549.1.1.1). Is it possible
to
> > specify a different object identifier, e.g. rsaOAEP
(1.2.840.113549.1.1.7)?

> > I looked into the various EVP_PKEY and EVP_PKEY_CTX functions, and
> other
> > places in code, but the only place this object ID is specified is in
> > obj_dat.h, and not used anywhere else (as far as I can see...)
>
> This request is a bit puzzling, since OAEP is a padding mode for RSA
> *encryption*, not RSA signatures.  For the latter, once typically
> goes with PSS if one wants a more modern signature scheme.
>
> OpenSSL supports OAEP for RSA encryption (e.g. in CMS), but in X.509,
> where the task at hand is signing...  So it is not clear that what
> you're looking for makes sense.
>
> --
> Viktor.
>
Hi Victor,

The certificate is signed with PSS. However, I try to indicate that the
public key enclosed IN the certificate should be used with the OAEP padding
mode while decrypting a separate message

Regards,
Stephane

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: rsaOAEP OID in X509 certificate

Viktor Dukhovni


> On Aug 9, 2018, at 3:21 PM, Stephane van Hardeveld <[hidden email]> wrote:
>
> The certificate is signed with PSS. However, I try to indicate that the
> public key enclosed IN the certificate should be used with the OAEP padding
> mode while decrypting a separate message

Keys in X.509 certiificates are mostly used for signing (e.g. TLS with
DHE or ECDHE key agreement).  But I guess you could mint an encryption-only
certificate that is not useful for signing, and use it exclusively for
key wrapping.  I don't know whether marking the key as an RSA-OAEP key
would then have the effect of restricting its usage by various libraries
to OAEP.  In the case of OpenSSL such an SPKI would simply not work at
all. :-(  If someone contributed a quality implementation of this key
type, it would probably be a good candidate for inclusion in libcrypto.

More typically (e.g. IN CMS), the fact that OAEP was used to encrypt
the message is part of the message metadata, and so decryption will
automatically use OAEP when it is was explicitly selected at the time
the message was created.  Thus OAEP is baked into the message, rather
than the certificate.

OpenSSL supports "oaep" in cms(1), pkeyutl(1) and rsautl(1) which
can create RSA encrypted objects, but does not presently support
X.509 certificates with RFC4055/RFC5756 OAEP SPKI.

        https://tools.ietf.org/html/rfc4055#section-4.1
        https://tools.ietf.org/html/rfc5756#section-4

--
        Viktor.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: rsaOAEP OID in X509 certificate

hardeves
>
> Keys in X.509 certiificates are mostly used for signing (e.g. TLS with
> DHE or ECDHE key agreement).  But I guess you could mint an encryption-
> only
> certificate that is not useful for signing, and use it exclusively for
> key wrapping.

That is exactly the use case ;-)

  I don't know whether marking the key as an RSA-OAEP key

> would then have the effect of restricting its usage by various libraries
> to OAEP.  In the case of OpenSSL such an SPKI would simply not work at
> all. :-(  If someone contributed a quality implementation of this key
> type, it would probably be a good candidate for inclusion in libcrypto.
>
> More typically (e.g. IN CMS), the fact that OAEP was used to encrypt
> the message is part of the message metadata, and so decryption will
> automatically use OAEP when it is was explicitly selected at the time
> the message was created.  Thus OAEP is baked into the message, rather
> than the certificate.

That is a perfect reason to use rsaEncryption as PKI OID then.

>
> OpenSSL supports "oaep" in cms(1), pkeyutl(1) and rsautl(1) which
> can create RSA encrypted objects, but does not presently support
> X.509 certificates with RFC4055/RFC5756 OAEP SPKI.

Thanks for clearing that up. Ken Goldman mentioned it as well.
Only broader used implementation until now (besides some proprietary
implementations) I have seen supporting this kind of certificates is
wincrypt. But not without flaws, especially in the masking function.

Regards,
Stephane

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: rsaOAEP OID in X509 certificate

Hubert Kario
In reply to this post by Viktor Dukhovni
On Thursday, 9 August 2018 22:01:25 CEST Viktor Dukhovni wrote:

> > On Aug 9, 2018, at 3:21 PM, Stephane van Hardeveld
> > <[hidden email]> wrote:
> >
> > The certificate is signed with PSS. However, I try to indicate that the
> > public key enclosed IN the certificate should be used with the OAEP
> > padding
> > mode while decrypting a separate message
>
> Keys in X.509 certiificates are mostly used for signing (e.g. TLS with
> DHE or ECDHE key agreement).  But I guess you could mint an encryption-only
> certificate that is not useful for signing, and use it exclusively for
> key wrapping.  I don't know whether marking the key as an RSA-OAEP key
> would then have the effect of restricting its usage by various libraries
> to OAEP.
it would, they would barf up just like they are barfing up while noticing rsa-
pss OID in SPKI

> More typically (e.g. IN CMS), the fact that OAEP was used to encrypt
> the message is part of the message metadata, and so decryption will
> automatically use OAEP when it is was explicitly selected at the time
> the message was created.  Thus OAEP is baked into the message, rather
> than the certificate.

the point is to have a certificate that can not be used for Bleichenbacher
attacks, and for it it needs to be baked into certificate

--
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purky┼łova 115, 612 00  Brno, Czech Republic
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: rsaOAEP OID in X509 certificate

hardeves
In reply to this post by Viktor Dukhovni
>
> > On Aug 9, 2018, at 3:21 PM, Stephane van Hardeveld
> <[hidden email]> wrote:
> >
> > The certificate is signed with PSS. However, I try to indicate that the
> > public key enclosed IN the certificate should be used with the OAEP
> padding
> > mode while decrypting a separate message
>
> Keys in X.509 certiificates are mostly used for signing (e.g. TLS with
> DHE or ECDHE key agreement).  But I guess you could mint an encryption-
> only
> certificate that is not useful for signing, and use it exclusively for
> key wrapping.  I don't know whether marking the key as an RSA-OAEP key
> would then have the effect of restricting its usage by various libraries
> to OAEP.  In the case of OpenSSL such an SPKI would simply not work at
> all. :-(  If someone contributed a quality implementation of this key
> type, it would probably be a good candidate for inclusion in libcrypto.
>
> More typically (e.g. IN CMS), the fact that OAEP was used to encrypt
> the message is part of the message metadata, and so decryption will
> automatically use OAEP when it is was explicitly selected at the time
> the message was created.  Thus OAEP is baked into the message, rather
> than the certificate.
>
> OpenSSL supports "oaep" in cms(1), pkeyutl(1) and rsautl(1) which
> can create RSA encrypted objects, but does not presently support
> X.509 certificates with RFC4055/RFC5756 OAEP SPKI.
>
> https://tools.ietf.org/html/rfc4055#section-4.1
> https://tools.ietf.org/html/rfc5756#section-4
>

If I would try this endeavour, what would be the best interface to set this?
For creation, use the EVP_PKEY type with the EVP_PKEY_CTX, and set
attributes there?
Something like:
res = X509_set_pubkey(cert, contentKey);
EVP_DigestSignInit(ctx, &pkey_ctx, EVP_sha256(), NULL, contentKey);
EVP_PKEY_encrypt_init(pkey_ctx);
EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_OAEP_PADDING);
EVP_PKEY_CTX_set_signature_md(pkey_ctx, EVP_sha256());

Etc?

And support RSA_PKCS1_PSS_PADDING  as well, to indicate the key in the
certificate should only be used for verification purposes?

Retrieval of these keys should then automatically get the ameth struct
filled with the appropriate RSA encryption and verification functions, so
the rsa_asn1_meths should be extended with
a set for RSA_OAEP encryption and RSA_PSS verification?

Or am I going at this completely wrong?

Regards,
Stephane


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: rsaOAEP OID in X509 certificate

Viktor Dukhovni


> On Aug 14, 2018, at 4:55 PM, Stephane van Hardeveld <[hidden email]> wrote:
>
> If I would try this endeavour, what would be the best interface to set this?
> For creation, use the EVP_PKEY type with the EVP_PKEY_CTX, and set
> attributes there?

You'll need a new EVP_PKEY type that is mostly like RSA, but specialized
for OAEP.

> Something like:
> res = X509_set_pubkey(cert, contentKey);
> EVP_DigestSignInit(ctx, &pkey_ctx, EVP_sha256(), NULL, contentKey);
> EVP_PKEY_encrypt_init(pkey_ctx);
> EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_OAEP_PADDING);
> EVP_PKEY_CTX_set_signature_md(pkey_ctx, EVP_sha256());

Nothing in EVP_PKEY_CTX has any effect on the key.  The data flow
is in the other direction.  Different key types lead to different
EVP_PKEY_CTX objects that are used to process data with that key.

--
        Viktor.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: rsaOAEP OID in X509 certificate

hardeves
> > On Aug 14, 2018, at 4:55 PM, Stephane van Hardeveld
> <[hidden email]> wrote:
> >
> > If I would try this endeavour, what would be the best interface to set
this?
> > For creation, use the EVP_PKEY type with the EVP_PKEY_CTX, and set
> > attributes there?
>
> You'll need a new EVP_PKEY type that is mostly like RSA, but specialized
> for OAEP.
Ok, makes sense

>
> > Something like:
> > res = X509_set_pubkey(cert, contentKey);
> > EVP_DigestSignInit(ctx, &pkey_ctx, EVP_sha256(), NULL, contentKey);
> > EVP_PKEY_encrypt_init(pkey_ctx);
> > EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_OAEP_PADDING);
> > EVP_PKEY_CTX_set_signature_md(pkey_ctx, EVP_sha256());
>
> Nothing in EVP_PKEY_CTX has any effect on the key.  The data flow
> is in the other direction.  Different key types lead to different
> EVP_PKEY_CTX objects that are used to process data with that key.
Thank you for clearing this up

Regards,
Stephane

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users