Handling signature_algorithm extension on TLS1.3 server

Matt Caswell matt at openssl.org
Fri Jun 7 11:02:08 UTC 2019



On 07/06/2019 07:27, Raja Ashok wrote:
> Thanks for the detailed explanation.
> 
> So rsaEncryption cert can do both RSASSA-PKCS-v1_5 and RSASSA-PSS type
> signature. And also the digital signature present on the cert can be of type
> RSASSA-PKCS-v1_5 or RSASSA-PSS.
> 
> Currently in 1.1.1c's has_usable_cert() function, digital signature (Issuer's
> signature) present on rsaEncryption cert type is not checked. So if TLS1.3
> client sends rsa_pss_rsae_xxx in "signature_algorithm" extension and if the
> server's rsaEncrypted cert has digital signature of type RSASSA-PKCS-v1_5, then
> it should not use that certificate but it is using currently.

There are two extensions to consider signature_algorithms and
signature_algorithms_cert. From RFC8446:

   TLS 1.3 provides two extensions for indicating which signature
   algorithms may be used in digital signatures.  The
   "signature_algorithms_cert" extension applies to signatures in
   certificates, and the "signature_algorithms" extension, which
   originally appeared in TLS 1.2, applies to signatures in
   CertificateVerify messages.

Looking at the code for has_usable_cert you can see it first checking to see if
it has a certificate that can sign in accordance with signature algorithms. And
then it goes on to check whether the signature in the certificate itself is
consistent with signature_algorithms_cert.

So, if signature_algorithms_cert does not contain rsa_pkcs1_* and the
certificate contains a PKCS1.5 signature, then it shouldn't be being used.

However the RFC then goes on to say:

   If no "signature_algorithms_cert" extension is
   present, then the "signature_algorithms" extension also applies to
   signatures appearing in certificates.

This was an area of some ambiguity in the TLSv1.2 spec where only
signature_algorithms exists. I believe it was common practice for
implementations to not check the signatures in certificates for conformance with
this (certainly that is the way OpenSSL behaves). The TLSv1.3 spec seems to be
more explicit about this. I would expect our TLSv1.2 implementation to continue
to operate as it did before so this additional checking of signatures in
certificates where only the signature_algorithms extensions is present should
only apply to TLSv1.3.

I don't see any code to do this in has_usable_cert so this looks like a
potential bug. Although possibly it was left out on purpose.

Ben Kaduk may have a view on this who implemented this code:

https://github.com/openssl/openssl/pull/5068/commits/e639c37bddea48334cb45d88d407c655641e1a35


Matt


More information about the openssl-users mailing list