[TLS] Ecdsa-sig-value in TLS 1.3 – need for erratum?

[Hubert Kario]

tl;dr: there are conflicting definitions of ECDSA-Sig-Value structure, which 
one "MUST" be used in TLS 1.3?


The ECDSA signature in TLS 1.3 (RFC 8446) is defined as follows:

   ECDSA algorithms:  Indicates a signature algorithm using ECDSA
      [ECDSA], the corresponding curve as defined in ANSI X9.62 [ECDSA]
      and FIPS 186-4 [DSS], and the corresponding hash algorithm as
      defined in [SHS].  The signature is represented as a DER-encoded
      [X690] ECDSA-Sig-Value structure.

I.e. there is no clear reference where the ECDSA-Sig-Value structure is 
defined.

At the same time, in TLS 1.2 (RFC 5246) it is defined as follows:
   signature
      This field indicates the signature algorithm that may be used.
      The values indicate anonymous signatures, RSASSA-PKCS1-v1_5
      [PKCS1] and DSA [DSS], and ECDSA [ECDSA], respectively.  The
      "anonymous" value is meaningless in this context but used in
      Section 7.4.3.  It MUST NOT appear in this extension.

with [ECDSA] being reference to X9.62-2005 in both standards.
In other parts of RFC 5246 there's also a reference to RFC 4492, but non-
normative.

Now, I don't have access to X9.62-2005, but there's a possibility of 
confusion. The RFC 5246 defines the ECDSA-Sig-Value as follows:

           Ecdsa-Sig-Value ::= SEQUENCE {
               r       INTEGER,
               s       INTEGER
           }

At the same time SEC 1 v2.0[1] defines that structure as follows:

           ECDSA-Sig-Value ::= SEQUENCE {
               r INTEGER,
               s INTEGER,
               a INTEGER OPTIONAL,
               y CHOICE { b BOOLEAN, f FieldElement } OPTIONAL
           }

(or in case the programmer confuses ECDSA-Sig-Value with ECDSA-Signature (or 
uses API that accepts the latter), then also the following encoding may be 
used:

           ECDSA-Full-R ::= SEQUENCE{
               r ECPoint,
               s INTEGER
           }
)


Now, my understanding is that only the two-integer SEQUENCE is supposed to be 
used or supported, but I don't think it follows directly from the text. So I 
think the RFC 8446 should be updated with an erratum that specifies the source 
of the ECDSA-Sig-Value structure.

 1 - https://www.secg.org/sec1-v2.pdf
-- 
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 115, 612 00  Brno, Czech Republic

signature.asc
Description: This is a digitally signed message part.

_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls