<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<tt>On 05/22/2012 04:05 PM, Nimeh, Jamil wrote:</tt>
<blockquote
cite="mid:6A95FA630FB5124C886BAD159CDBA1F011A2A711@wdc1exchmbxp05.hq.corp.viasat.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<tt>
</tt>
<style id="owaParaStyle" type="text/css">P {margin-top:0;margin-bottom:0;}</style>
<div style="direction: ltr; font-family: Tahoma; color: rgb(0, 0,
0); font-size: 10pt;"><tt><span style="font-family: Courier
New;">Hello all,</span><br style="font-family: Courier New;">
<br style="font-family: Courier New;">
<span style="font-family: Courier New;">I have come across
what looks like a bug in SCEP responses from the CA when
using
</span>
</tt><tt><span style="font-family: Courier New;">SHA-256 and
SHA-512.</span><br style="font-family: Courier New;">
<br style="font-family: Courier New;">
<span style="font-family: Courier New;">The problem appears to
be the OID that is given in the digestAlgorithm field of
</span>
</tt><tt><span style="font-family: Courier New;">the signerInfo
portion of the PKCS#7 signature. For CertRep messages using
MD5
</span><span style="font-family: Courier New;">and SHA-1 the
OID is correct and matches the single OID in the
digestAlgorithms
</span><span style="font-family: Courier New;">list from the
SignedData segment.</span><span style="font-family: Courier
New;"> In the case of SHA-256 and SHA-512, it appears that
the second to the last octet
</span><span style="font-family: Courier New;">in the two
digests (0x2) is missing. For SHA-256 the OID in the
signerInfo is
</span><span style="font-family: Courier New;">"2.16.840.1.101.3.4.1"
(it should be ...3.4.2.1). For SHA-512 the OID given is
</span><span style="font-family: Courier New;">"2.16.840.1.101.3.4.3"when
it should end "...3.4.2.3"</span><br style="font-family:
Courier New;">
<br style="font-family: Courier New;">
<span style="font-family: Courier New;">When attempting to
verify the digest using NSS'SEC_PKCS7VerifySignature() /
</span>
</tt><tt><span style="font-family: Courier New;">SEC_PKCS7VerifyDetachedSignature()
it fails, and I believe it also fails with
</span><span style="font-family: Courier New;">similar calls
under OpenSSL. There's a mention of the latter on the
Dogtag
</span><span style="font-family: Courier New;">SCEP/SSCEP page
under the heading "SSCEP Error". I believe this error is
due to
</span><span style="font-family: Courier New;">this OID
discrepancy.</span><br style="font-family: Courier New;">
<br style="font-family: Courier New;">
<span style="font-family: Courier New;">I've been looking in
the Dogtag source and the JSS Javadocs to see where this OID
</span>
</tt><tt><span style="font-family: Courier New;">might be coming
from. Everything I've looked at where OIDs for SHA-2
algorithms
</span><span style="font-family: Courier New;">are concerned
have the right bytes, so I've been unable to pinpoint where
the OID
</span><span style="font-family: Courier New;">is coming from.</span><br
style="font-family: Courier New;">
<br style="font-family: Courier New;">
<span style="font-family: Courier New;">I can provide sample
CertRep messages with the odd OIDs in there if desired. A
</span>
</tt><tt><span style="font-family: Courier New;">sample
signerInfo from a SHA-256 CertRep failure message from
dumpasn1 is below:</span><br style="font-family: Courier
New;">
<br style="font-family: Courier New;">
Currently Running:
</tt><tt><br style="font-family: Courier New;">
<span style="font-family: Courier New;">Fedora Core 15 updated
to the latest as of 5/17/2012</span>
</tt><tt><br style="font-family: Courier New;">
<span style="font-family: Courier New;">pki-core (and other
rpms) 9.0.19-1</span>
</tt><tt><br style="font-family: Courier New;">
<span style="font-family: Courier New;">nss-* 3.13.4-2</span>
</tt><tt><br style="font-family: Courier New;">
<span style="font-family: Courier New;">jss-4.2.6.24</span>
</tt><tt><br style="font-family: Courier New;">
<span style="font-family: Courier New;">nspr-4.9-2</span>
</tt><tt><br style="font-family: Courier New;">
<br>
(I've also seen this behavior with pki-core 9.0.17 and its
corresponding packages as well)
</tt><tt><br>
<br style="font-family: Courier New;">
<span style="font-family: Courier New;">I did go looking
through the mailing lists and bugzilla to see if this issue
had
</span>
</tt><tt><span style="font-family: Courier New;">been found and
didn't see anything. If I did overlook it then please
accept my
</span><span style="font-family: Courier New;">apologies. I'm
currently working around the problem by using SHA-1, but I'd
</span><span style="font-family: Courier New;">really like to
be able to use the stronger digest algorithms if possible.
If
</span><span style="font-family: Courier New;">anyone knows
how to get that working I'd appreciate it.</span><br
style="font-family: Courier New;">
<br style="font-family: Courier New;">
<span style="font-family: Courier New;">Thanks,</span>
</tt><tt><br style="font-family: Courier New;">
<span style="font-family: Courier New;">Jamil</span>
</tt><tt><br style="font-family: Courier New;">
</tt></div>
</blockquote>
<tt><br>
Hi <span style="font-family: Courier New;">Jamil,<br>
<br>
I'll be glad to review this issue. Could open a bugzilla bug?<br>
<br>
Thanks,<br>
Andrew<br>
</span><br>
</tt>
<blockquote
cite="mid:6A95FA630FB5124C886BAD159CDBA1F011A2A711@wdc1exchmbxp05.hq.corp.viasat.com"
type="cite">
<div style="direction: ltr;font-family: Tahoma;color:
#000000;font-size: 10pt;">
<tt><br style="font-family: Courier New;">
<span style="font-family: Courier New;">SAMPLE CertRep Fail
signerInfo using SHA-256:</span>
</tt><tt><br style="font-family: Courier New;">
<br style="font-family: Courier New;">
<br style="font-family: Courier New;">
</tt><tt>
<span style="font-family: Courier New;"> 60 623: SET {</span><br
style="font-family: Courier New;">
<span style="font-family: Courier New;"> 64 619:
SEQUENCE {</span><br style="font-family: Courier New;">
<span style="font-family: Courier New;"> 68 1:
INTEGER 1</span><br style="font-family: Courier New;">
<span style="font-family: Courier New;"> 71 72:
SEQUENCE {</span><br style="font-family: Courier New;">
<span style="font-family: Courier New;"> 73 67:
SEQUENCE {</span><br style="font-family: Courier New;">
<span style="font-family: Courier New;"> 75
16: SET {</span><br style="font-family:
Courier New;">
<span style="font-family: Courier New;"> 77
14: SEQUENCE {</span><br style="font-family:
Courier New;">
<span style="font-family: Courier New;"> 79
3: OBJECT IDENTIFIER organizationName (2 5
4 10)</span><br style="font-family: Courier New;">
<span style="font-family: Courier New;">
: (X.520 DN component)</span><br
style="font-family: Courier New;">
<span style="font-family: Courier New;"> 84
7: PrintableString 'TESTPKI'</span><br
style="font-family: Courier New;">
<span style="font-family: Courier New;">
: }</span><br style="font-family: Courier
New;">
<span style="font-family: Courier New;">
: }</span><br style="font-family: Courier
New;">
<span style="font-family: Courier New;"> 93
15: SET {</span><br style="font-family:
Courier New;">
<span style="font-family: Courier New;"> 95
13: SEQUENCE {</span><br style="font-family:
Courier New;">
<span style="font-family: Courier New;"> 97
3: OBJECT IDENTIFIER
organizationalUnitName (2 5 4 11)</span><br
style="font-family: Courier New;">
<br style="font-family: Courier New;">
</tt><tt>
<span style="font-family: Courier New;">
: (X.520 DN component)</span><br
style="font-family: Courier New;">
<span style="font-family: Courier New;"> 102
6: PrintableString 'pki-ca'</span><br
style="font-family: Courier New;">
<span style="font-family: Courier New;">
: }</span><br style="font-family: Courier
New;">
<span style="font-family: Courier New;">
: }</span><br style="font-family: Courier
New;">
<span style="font-family: Courier New;"> 110
30: SET {</span><br style="font-family:
Courier New;">
<span style="font-family: Courier New;"> 112
28: SEQUENCE {</span><br style="font-family:
Courier New;">
<span style="font-family: Courier New;"> 114
3: OBJECT IDENTIFIER commonName (2 5 4 3)</span><br
style="font-family: Courier New;">
<span style="font-family: Courier New;">
: (X.520 DN component)</span><br
style="font-family: Courier New;">
<span style="font-family: Courier New;"> 119
21: PrintableString 'Certificate
Authority'</span><br style="font-family: Courier New;">
<span style="font-family: Courier New;">
: }</span><br style="font-family: Courier
New;">
<span style="font-family: Courier New;">
: }</span><br style="font-family: Courier
New;">
<span style="font-family: Courier New;">
: }</span><br style="font-family: Courier
New;">
<span style="font-family: Courier New;"> 142 1:
INTEGER 1</span><br style="font-family: Courier New;">
<span style="font-family: Courier New;"> :
}</span><br style="font-family: Courier New;">
<span style="font-family: Courier New;"> 145 12:
SEQUENCE {</span><br style="font-family: Courier New;">
<span style="font-family: Courier New;"> 147 8:
OBJECT IDENTIFIER aes (2 16 840 1 101 3 4 1)</span><br
style="font-family: Courier New;">
<span style="font-family: Courier New;">
: (NIST Algorithm)</span><br
style="font-family: Courier New;">
<span style="font-family: Courier New;"> 157 0:
NULL</span><br style="font-family: Courier New;">
<span style="font-family: Courier New;"> :
}</span><br style="font-family: Courier New;">
<span style="font-family: Courier New;"> 159 250:
[0] {</span><br style="font-family: Courier New;">
<span style="font-family: Courier New;"> 162 17:
SEQUENCE {</span><br style="font-family: Courier New;">
<span style="font-family: Courier New;"> 164
10: OBJECT IDENTIFIER messageType (2 16 840 1
113733 1 9 2)</span><br style="font-family: Courier New;">
<br style="font-family: Courier New;">
</tt><tt>
<span style="font-family: Courier New;">
: (Verisign PKCS #7 attribute)</span><br
style="font-family: Courier New;">
<span style="font-family: Courier New;"> 176
3: SET {</span><br style="font-family: Courier
New;">
<span style="font-family: Courier New;"> 178
1: PrintableString '3'</span><br
style="font-family: Courier New;">
<span style="font-family: Courier New;">
: }</span><br style="font-family: Courier
New;">
<span style="font-family: Courier New;">
: }</span><br style="font-family: Courier
New;">
<span style="font-family: Courier New;"> 181 17:
SEQUENCE {</span><br style="font-family: Courier New;">
<span style="font-family: Courier New;"> 183
10: OBJECT IDENTIFIER pkiStatus (2 16 840 1
113733 1 9 3)</span><br style="font-family: Courier New;">
<span style="font-family: Courier New;">
: (Verisign PKCS #7 attribute)</span><br
style="font-family: Courier New;">
<span style="font-family: Courier New;"> 195
3: SET {</span><br style="font-family: Courier
New;">
<span style="font-family: Courier New;"> 197
1: PrintableString '2'</span><br
style="font-family: Courier New;">
<span style="font-family: Courier New;">
: }</span><br style="font-family: Courier
New;">
<span style="font-family: Courier New;">
: }</span><br style="font-family: Courier
New;">
<span style="font-family: Courier New;"> 200 17:
SEQUENCE {</span><br style="font-family: Courier New;">
<span style="font-family: Courier New;"> 202
10: OBJECT IDENTIFIER failInfo (2 16 840 1
113733 1 9 4)</span><br style="font-family: Courier New;">
<span style="font-family: Courier New;">
: (Verisign PKCS #7 attribute)</span><br
style="font-family: Courier New;">
<span style="font-family: Courier New;"> 214
3: SET {</span><br style="font-family: Courier
New;">
<span style="font-family: Courier New;"> 216
1: PrintableString '2'</span><br
style="font-family: Courier New;">
<span style="font-family: Courier New;">
: }</span><br style="font-family: Courier
New;">
<span style="font-family: Courier New;">
: }</span><br style="font-family: Courier
New;">
<span style="font-family: Courier New;"> 219 24:
SEQUENCE {</span><br style="font-family: Courier New;">
<span style="font-family: Courier New;"> 221
9: OBJECT IDENTIFIER contentType (1 2 840
113549 1 9 3)</span><br style="font-family: Courier New;">
<span style="font-family: Courier New;">
: (PKCS #9)</span><br style="font-family:
Courier New;">
<span style="font-family: Courier New;"> 232
11: SET {</span><br style="font-family:
Courier New;">
<span style="font-family: Courier New;"> 234
9: OBJECT IDENTIFIER data (1 2 840 113549 1
7 1)</span><br style="font-family: Courier New;">
<span style="font-family: Courier New;">
: (PKCS #7)</span><br style="font-family:
Courier New;">
<span style="font-family: Courier New;">
: }</span><br style="font-family: Courier
New;">
<span style="font-family: Courier New;">
: }</span><br style="font-family: Courier
New;">
<span style="font-family: Courier New;"> 245 32:
SEQUENCE {</span><br style="font-family: Courier New;">
<span style="font-family: Courier New;"> 247
10: OBJECT IDENTIFIER senderNonce (2 16 840 1
113733 1 9 5)</span><br style="font-family: Courier New;">
<br style="font-family: Courier New;">
</tt><tt>
<span style="font-family: Courier New;">
: (Verisign PKCS #7 attribute)</span><br
style="font-family: Courier New;">
<span style="font-family: Courier New;"> 259
18: SET {</span><br style="font-family:
Courier New;">
<span style="font-family: Courier New;"> 261
16: OCTET STRING</span><br
style="font-family: Courier New;">
<span style="font-family: Courier New;">
: A9 7A AB 92 86 A8 C6 FB A7 AA 59 C8 D8
85 5B 8F</span><br style="font-family: Courier New;">
<span style="font-family: Courier New;">
: }</span><br style="font-family: Courier
New;">
<span style="font-family: Courier New;">
: }</span><br style="font-family: Courier
New;">
<span style="font-family: Courier New;"> 279 32:
SEQUENCE {</span><br style="font-family: Courier New;">
<span style="font-family: Courier New;"> 281
10: OBJECT IDENTIFIER</span><br
style="font-family: Courier New;">
<span style="font-family: Courier New;">
: recipientNonce (2 16 840 1 113733 1 9 6)</span><br
style="font-family: Courier New;">
<span style="font-family: Courier New;">
: (Verisign PKCS #7 attribute)</span><br
style="font-family: Courier New;">
<span style="font-family: Courier New;"> 293
18: SET {</span><br style="font-family:
Courier New;">
<span style="font-family: Courier New;"> 295
16: OCTET STRING</span><br
style="font-family: Courier New;">
<span style="font-family: Courier New;">
: BD 5F 02 CC D5 5A 25 34 84 00 78 E2 6B
54 D3 7A</span><br style="font-family: Courier New;">
<span style="font-family: Courier New;">
: }</span><br style="font-family: Courier
New;">
<span style="font-family: Courier New;">
: }</span><br style="font-family: Courier
New;">
<span style="font-family: Courier New;"> 313 47:
SEQUENCE {</span><br style="font-family: Courier New;">
<span style="font-family: Courier New;"> 315
9: OBJECT IDENTIFIER messageDigest (1 2 840
113549 1 9 4)</span><br style="font-family: Courier New;">
<span style="font-family: Courier New;">
: (PKCS #9)</span><br style="font-family:
Courier New;">
<span style="font-family: Courier New;"> 326
34: SET {</span><br style="font-family:
Courier New;">
<span style="font-family: Courier New;"> 328
32: OCTET STRING</span><br
style="font-family: Courier New;">
<span style="font-family: Courier New;">
: E3 B0 C4 42 98 FC 1C 14 9A FB F4 C8 99
6F B9 24</span><br style="font-family: Courier New;">
<span style="font-family: Courier New;">
: 27 AE 41 E4 64 9B 93 4C A4 95 99 1B 78
52 B8 55</span><br style="font-family: Courier New;">
<span style="font-family: Courier New;">
: }</span><br style="font-family: Courier
New;">
<span style="font-family: Courier New;">
: }</span><br style="font-family: Courier
New;">
<span style="font-family: Courier New;"> 362 48:
SEQUENCE {</span><br style="font-family: Courier New;">
<span style="font-family: Courier New;"> 364
10: OBJECT IDENTIFIER transID (2 16 840 1
113733 1 9 7)</span><br style="font-family: Courier New;">
<span style="font-family: Courier New;">
: (Verisign PKCS #7 attribute)</span><br
style="font-family: Courier New;">
<span style="font-family: Courier New;"> 376
34: SET {</span><br style="font-family:
Courier New;">
<span style="font-family: Courier New;"> 378
32: PrintableString
'856F90890192FFE9A321C83CB56169AA'</span><br
style="font-family: Courier New;">
<span style="font-family: Courier New;">
: }</span><br style="font-family: Courier
New;">
<span style="font-family: Courier New;">
: }</span><br style="font-family: Courier
New;">
<span style="font-family: Courier New;"> :
}</span><br style="font-family: Courier New;">
<span style="font-family: Courier New;"> 412 13:
SEQUENCE {</span><br style="font-family: Courier New;">
<span style="font-family: Courier New;"> 414 9:
OBJECT IDENTIFIER rsaEncryption (1 2 840 113549 1 1 1)</span><br
style="font-family: Courier New;">
<span style="font-family: Courier New;">
: (PKCS #1)</span><br style="font-family:
Courier New;">
<span style="font-family: Courier New;"> 425 0:
NULL</span><br style="font-family: Courier New;">
<span style="font-family: Courier New;"> :
}</span><br style="font-family: Courier New;">
<span style="font-family: Courier New;"> 427 256:
OCTET STRING</span><br style="font-family: Courier New;">
<span style="font-family: Courier New;"> :
6C 5E EA E3 6E 5B 5D E9 41 72 20 83 33 48 1B 7D</span><br
style="font-family: Courier New;">
<span style="font-family: Courier New;"> :
3F 5F 1F A6 C3 D3 5D D5 F3 D3 57 E7 A7 7C 65 D1</span><br
style="font-family: Courier New;">
<span style="font-family: Courier New;"> :
25 39 C0 A3 13 E2 63 10 79 28 55 2C 35 51 E0 0F</span><br
style="font-family: Courier New;">
<span style="font-family: Courier New;"> :
63 7B F1 C4 F2 56 E1 63 37 78 01 C1 84 38 44 94</span><br
style="font-family: Courier New;">
<span style="font-family: Courier New;"> :
46 8F 54 89 E0 FB C1 50 F5 15 9F CA B4 1E A7 68</span><br
style="font-family: Courier New;">
<span style="font-family: Courier New;"> :
C1 DE 96 3C AB 79 33 B8 44 44 F2 A1 0B 03 2A FD</span><br
style="font-family: Courier New;">
<span style="font-family: Courier New;"> :
06 51 5D A1 C6 71 61 50 67 44 C4 94 01 5F 21 1F</span><br
style="font-family: Courier New;">
<span style="font-family: Courier New;"> :
EE CF 4B 8D 79 7F 89 45 0D 32 37 AC BE B2 21 A5</span><br
style="font-family: Courier New;">
<span style="font-family: Courier New;">
: [ Another 128 bytes skipped ]</span><br
style="font-family: Courier New;">
<span style="font-family: Courier New;"> : }</span><br
style="font-family: Courier New;">
<span style="font-family: Courier New;"> : }</span><br
style="font-family: Courier New;">
<span style="font-family: Courier New;"> : }</span><br
style="font-family: Courier New;">
<span style="font-family: Courier New;"> : }</span><br
style="font-family: Courier New;">
<span style="font-family: Courier New;"> : }</span><br
style="font-family: Courier New;">
<br style="font-family: Courier New;">
<br style="font-family: Courier New;">
</tt>
</div>
<tt><br>
</tt>
<fieldset class="mimeAttachmentHeader"></fieldset>
<tt><br>
</tt>
<pre wrap=""><tt>_______________________________________________
Pki-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Pki-users@redhat.com">Pki-users@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/pki-users">https://www.redhat.com/mailman/listinfo/pki-users</a>
</tt></pre>
</blockquote>
<tt><br>
</tt>
</body>
</html>