Skip to content

Version 0.10

Compare
Choose a tag to compare
@github-actions github-actions released this 23 Apr 21:21
· 51 commits to master since this release
spec: Refactor SeedReport to avoid impossible signature constraints

The layout of SeedReport currently includes the signatureAlgorithm
within the SeedDescriptor.  When multiple signatures are present this
therefore requires the ability to construct the signatureAlgorithm
value independently of constructing the signature, since each
signature must be computed over content that includes the full list of
signatureAlgorithm values.

This is not necessarily possible.  The signing API as exposed by
OpenSSL's ASN1_item_sign() reserves the right to reconstruct the
contents of the signatureAlgorithm at the time that the signature is
computed.  The API allows for the fact that the signatureAlgorithm may
appear within the data being signed (as is the case for X.509
certificates).  This API precludes the possibility of multiple
signatures over the same object where that object contains the
signatureAlgorithms, because each new signature reserves the right to
modify its signatureAlgorithm value (and hence to modify the data that
has already been signed by the previous signature).

It is unclear from the assorted specifications whether this is a quirk
of the OpenSSL APIs or a fundamental limitation of the signing
process.  The AlgorithmIdenfitier data type used for
signatureAlgorithm is remarkably flexible, and it is certainly
plausible that some signature schemes may define parameters that
depend upon the precise data over which the signature is computed.

X.509 avoids this problem because there can only ever be a single
signature within a certificate.  CMS supports multiple signatures but
avoids this problem by excluding the signatureAlgorithm from the data
being signed.  This in turn opens up the possibility of an algorithmic
substitution attack as documented in RFC 6211.

The approach taken by RFC 6211 is essentially equivalent to
constructing a signature over a virtual data object that includes both
the signatureAlgorithm and the actual data content.  We choose to
adopt a similar approach, defining a virtual data object over which
the signature is to be computed.  Since the specification has not yet
reached version 1.0, backwards compatibility need not be taken into
consideration; we can therefore make this the only defined way for a
signature to be computed.

Signed-off-by: Michael Brown <[email protected]>