[krbdev.mit.edu #8506] PKINIT fails with PKCS#11 middlware that implements PKCS#1 V2.1
Tom Yu via RT
rt-comment at krbdev.mit.edu
Thu Oct 6 17:39:48 EDT 2016
Further details for future reference:
Our PKINIT implementation uses the PKCS #1 (RFC 3447) RSA signature
algorithm RSASSA-PKCS1-v1_5 (section 8.2). This takes as input the
result of EMSA-PKCS1-v1_5 (section 9.2) and uses that as the "message"
for the RSA modular exponentiation operation RSASP1 (section 5.2.1).
An intermediate step of EMSA-PKCS1-v1_5 produces a DER encoding of the
DigestInfo ASN.1 type. The AlgorithmIdentifier field of DigestInfo has
an OID field and an optional variable-type parameters field.
For the SHA-1 algorithm, the parameters are the ASN.1 NULL type. The
parameters must be present when SHA-1 is used with EMSA-PKCS1-v1_5.
(This is ambiguous in RFC 3447 but clarified in PKCS #1 v2.2, which
isn't published as an RFC.) Prior to this patch, we omitted the
parameters when using a PKCS #11 token with CKM_RSA_PKCS to sign
PKINIT-related data.
(CKM_RSA_PKCS is unusual in that it's a semi-raw RSA mechanism. For
signing, it requires a DER DigestInfo encoding -- minus the
EMSA-PKCS1-v1_5 padding -- as input instead of variable-length data to
be signed.)
OpenSSL and other crypto libraries have historically been lenient about
validating the DigestInfo during RSA signature verification, leading to
some signature forgery vulnerabilities. OpenSSL is less lenient now,
but still allows the parameters to be omitted.
The bug report forwarded from Ubuntu seems to involve a smart card that
is strict about validating the DigestInfo encoding when signing using
CKM_RSA_PKCS.
More information about the krb5-bugs
mailing list