[EMAIL PROTECTED] (Niels Möller) writes: >> Note that different code is used for RSA signing in TLS and RSA >> signing in X.509 in GnuTLS. The same problem came up in the TLS >> context too for TLS v1.2 and there I added the following. (TLS before >> v1.2 doesn't use RSA PKCS#1.) > > That's strange... I haven't worked at all with TLS or SSL recently, > but I just looked up the Pike/Roxen SSL-3 implementation which I > wrote about ten years ago. It uses a NULL parameter. It interoperated > fine with the Netscape browser at the time. It's later been upgraded > to support TLS, and at least I haven't heard about any > interoperability problems. > > The relevant file is > http://pike.ida.liu.se/development/cvs/log.xml?file=7.7/lib/modules/Standards.pmod/PKCS.pmod/Signature.pmod&module=Pike, > and there are actually no changes to the digestinfo formatting since I > checked in revision 1.1, 1997-11-30. > > //! @decl string build_digestinfo(string msg, Crypto.Hash hash) > //! Construct a PKCS-1 digestinfo > //! @param msg > //! message to digest > //! @param hash > //! crypto hash object such as @[Crypto.SHA] or @[Crypto.MD5] > string build_digestinfo(string msg, HASH hash) > { > if(!hash->asn1_id) error("Unknown ASN.1 id for hash.\n"); > string d = hash->hash(msg); > string id = hash->asn1_id(); > > return sprintf("%c%c%c%c%c%c%s%c%c%c%c%s", > 0x30, sizeof(id) + sizeof(d) + 8, 0x30, sizeof(id) + 4, > 0x06, sizeof(id), id, 0x05, 0x00, 0x04, sizeof(d), d); > } // ^^^^^^^^^^ > > Note the NULL object on the final line. > > I'm sure you have read the specifications much more recently than I, > but as far as I remember, SSL and TLS have always used PKCS#1 style > RSA signatures, so it really surprises me that you say some versions > of TLS didn't specify that.
Are you sure that code is used for signing in the RSA key exchange ciphersuites, and not X.509 signing? The RSA key exchange ciphersuites in TLS < 1.2 doesn't use RSA-PKCS#1 but sign a concatenation of the MD5 + SHA1 hash instead, see RFC 4346: In RSA signing, a 36-byte structure of two hashes (one SHA and one MD5) is signed (encrypted with the private key). It is encoded with PKCS #1 block type 1, as described in [PKCS1A]. Only the padding is according to PKCS#1. In TLS 1.2, RSA signing is done using one hash function only, and the hash OID is prepended (actually the entire structure is the DigestInfo ASN.1 structure, just like in your code, so it may hold parameters too). Btw, I noticed that the lastest TLS 1.2 draft says: In RSA signing, the opaque vector contains the signature generated using the RSASSA-PKCS1-v1_5 signature scheme defined in [PKCS1B]. As discussed in [PKCS1B], the DigestInfo MUST be DER encoded and for digest algorithms without parameters (which include SHA-1) the DigestInfo.AlgorithmIdentifier.parameters field SHOULD be omitted but implementations MUST accept both without parameters and with NULL parameters. Note that earlier versions of TLS used a different RSA signature scheme which did not include a DigestInfo encoding. Initially I did follow the SHOULD and omitted the NULL, but I had interop problems with the only other TLS 1.2 implementation I'm aware of, so I changed GnuTLS. The old code is still available in a #if-block, in case this changes again until the RFC is published. > PS. Feel free to forward this message to some gnutls list if you find > it appropriate; I'm not sending it to [email protected] since my > previous message was automatically rejected. The list is subscriber-only, I believe, but I added you to the whitelist now, in case it makes a difference. /Simon _______________________________________________ Help-gnutls mailing list [email protected] http://lists.gnu.org/mailman/listinfo/help-gnutls
