[Pki-users] SHA-256 signed CMC revocation messages failing to verify on server

Christina Fu cfu at redhat.com
Thu Sep 27 16:34:07 UTC 2012 

Hi Jamil,

I am running a variant of  jss-4.2.6-23 (with one extra patch that I 
have not had time to push/build, but it has nothing to do with your 
suspected area).  For nss, I'm running nss-3.13.5-8.el5.  Again, I 
develop on RHEL.

Yes, if you'd send in your code with precise reproducing steps, I might 
be able to look into it sooner.

Christina

On 09/25/2012 11:10 PM, Nimeh, Jamil wrote:
> Hi Christina, thank you very much for getting back to me.
>
> I haven't seen the problem with the PKCS#1 SHA-256 with RSA OID.  That 
> seems to work across the board with JSS and Dogtag (otherwise I could 
> never sign a cert with SHA-256, I suppose).  I'd be curious to know 
> what version of JSS is on your RHEL/RHCS8.1 machine, and perhaps what 
> NSS version.  On my Fedora box it's JSS 4.2.6 and NSS 3.13.4.  Maybe 
> something different between the bits we're running?
>
> I've run into the issue when a PKCS#7 or CMS signedData message is 
> created.  In those cases, the SHA-256 OID would normally be asserted 
> in two locations:
> 1. In the DigestAlgorithmIdentifiers segment of the SignedData object 
> (see RFC 5652 5.1): CMS/PKCS#7 objects have it properly asserted here.
>
> 2. In the DigestAlgorithmIdentifier portion of the SignerInfo (see RFC 
> 5652 5.3): This is where the OID gets messed up with SHA-2 algs.  
> Since there is only one signer, the DigestAlgorithmIdentifiers section 
> at the beginning would have only one OID, the SHA-256 one, and that 
> OID should be repeated again in the SignerInfo.
>
> What happens though is that the SignerInfo's DigestAlgorithmIdentifier 
> will show up with an OID of 2.16.840.1.101.3.4.1 when it should be 
> 2.16.840.1.101.3.4.2.1.  This appears to happen with JSS 4.2.6, but 
> not with JSS 4.3.  But 4.2.6 is what comes down when the dogtag 
> packages are pulled with yum, so I wasn't sure if I could pop in a 
> newer JSS safely.
>
> Tomorrow I'll take my doctored up CMCRevoke and cook up two messages, 
> one where I load the 4.2.6 JSS and one where I do 4.3 and I'll send 
> you the DER encodings so you can see what I'm talking about.  I don't 
> recall, but I think the bug report for 824624 might have sample SCEP 
> CertRep messages from the CA, which show the issue using PKCS#7.
>
> Once again, thank you very much for taking the time to look at this.
>
> --Jamil
>
> ------------------------------------------------------------------------
> *From:* pki-users-bounces at redhat.com [pki-users-bounces at redhat.com] on 
> behalf of Christina Fu [cfu at redhat.com]
> *Sent:* Tuesday, September 25, 2012 8:46 PM
> *To:* pki-users at redhat.com
> *Subject:* Re: [Pki-users] SHA-256 signed CMC revocation messages 
> failing to verify on server
>
> Hi Jamil,
>
> I tried to reproduce your issue, but I seemed to be able to generate 
> CMC revocation request with SHA-256 digest.  I have to admit that my 
> main development machine is RHEL and I work on RHCS8.1 tree.
>
> I changed all "SHA1" to "SHA256" in CMCRevoke.java (with the exception 
> with DSA), compiled, and it just worked.  Did you do anything different?
>
> I could see in dumpasn1 where SHA245 is in place:
>                 C-Sequence  (13)
>                    Object Identifier  (9)
>                       1 2 840 113549 1 1 11 (PKCS #1 SHA-256 With RSA Encryption)
>                    NULL  (0)
> Christina
>
> On 09/19/2012 11:19 AM, Christina Fu wrote:
>> Hi Jamil,
>>
>> We made an effort to support SHA2 where we can but might have missed 
>> a few places.  I'll look into this and hopefully be able to get back 
>> to you in a few days.
>>
>> thanks,
>> Christina
>>
>> On 09/19/2012 12:44 AM, Nimeh, Jamil wrote:
>>>
>>> Hello Dogtag Gurus,
>>>
>>> I have been trying to issue CMC revocation messages signed with 
>>> SHA-256, but the server fails to validate the message in the CMCAuth 
>>> java policy module.  If I leave all fields the same but change the 
>>> signature algorithm to SHA-1 then everything seems to work fine.
>>>
>>> I suspect this is another side-effect of the root-cause for bug 
>>> 824624.  It seems like in certain cases with JSS 4.2.6 when PKCS#7 
>>> messages are created using any of the SHA-2 variants, the OIDs get 
>>> messed up.  This happened with SCEP responses from the CA (the bug 
>>> referenced above) and I had it happen with the CMC revoke 
>>> modifications I made.  The latter issue was fixed by pulling down 
>>> JSS 4.3 and loading that jar in the classpath for the modified 
>>> CMCRevoke tool.  However, on the server side I ended up seeing 
>>> verification failures.
>>>
>>> I'm running pki-common-9.0.20, jss 4.2.6, and NSS 3.13.4.  At one 
>>> point I had heard that Dogtag 9.0.X wasn't 100% safe to run with JSS 
>>> 4.3 or later.  Is that still the case with the latest 9.0 packages?
>>>
>>>
>>> Has anyone had any success generating these CMC messages using SHA-2 
>>> hash algs and getting Dogtag to accept them?
>>>
>>>
>>> Thanks,
>>>
>>> Jamil
>>>
>>>
>>> _______________________________________________
>>> Pki-users mailing list
>>> Pki-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/pki-users
>>
>>
>> _______________________________________________
>> Pki-users mailing list
>> Pki-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/pki-users
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20120927/053cccad/attachment.htm>

More information about the Pki-users mailing list