On Saturday, 28 January 2017 06:51:10 CET Peter Gutmann wrote: > Jakob Bohm <[email protected]> writes: > >DSA and ECDSA signatures are only secure if the hash algorithm is specified > >in the certificate, presumably as part of the AlgorithmIdentifier in the > >SubjectPublicKeyInfo. > > It's in the (badly-named) signature field of the cert, if it was in the > signatureAlgorithm it wouldn't be covered by the sig. Having said that, I > don't know how many implementations actually check whether what's in the > signature corresponds to the signatureAlgorithm, I tried it many years ago > (md5With... vs sha1With...) and nothing much seemed to notice, as long as > the signatureAlgorithm was the one that was correct for the signature.
I've tested it for TLS signatures[1], and OpenSSL, NSS and GnuTLS do match the sig alg with the hash info structure in the actual signature. 1 - https://github.com/tomato42/tlsfuzzer/blob/master/scripts/test-certificate-verify-malformed-sig.py -- Regards, Hubert Kario Senior Quality Engineer, QE BaseOS Security team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
