[openssl-dev] [RFC 0/2] Proposal for seamless handling of TPM based RSA keys in openssl

Richard Levitte levitte at openssl.org
Tue Nov 22 23:07:32 UTC 2016 

In message <1479839148.2376.31.camel at HansenPartnership.com> on Tue, 22 Nov 2016 10:25:48 -0800, James Bottomley <James.Bottomley at HansenPartnership.com> said:

James.Bottomley> On Tue, 2016-11-22 at 18:03 +0000, Salz, Rich wrote:
James.Bottomley> > > > It does this by trying to interpret the blob against known ASN.1
James.Bottomley> > > > definitions, and will only succeed when there's a complete match.
James.Bottomley> > > >   I'm
James.Bottomley> > > > not terribly worried...
James.Bottomley> > 
James.Bottomley> > I am.  With locales and UTF8, the old simple days of text/binary are
James.Bottomley> > probably long gone.  And if any ASN.1 definition has extensibility in
James.Bottomley> > it, then we have to be concerned about things being wrapped,
James.Bottomley> > something like prefix attacks, and so on.  
James.Bottomley> >  
James.Bottomley> > > And even if you were, you should be *more* worried about making
James.Bottomley> > > *applications* do it for themselves :)
James.Bottomley> > 
James.Bottomley> > I cannot control what an application does, and I am not responsible
James.Bottomley> > for any other application's reputation.  I do have a strongly vested
James.Bottomley> > stake in OpenSSL's. 
James.Bottomley> > 
James.Bottomley> > It is already possible to write a utility library that tries 
James.Bottomley> > everything in turn, and returns an enumeration that says "seems to be 
James.Bottomley> > an X509 certificate" etc.  And then another routine that takes that 
James.Bottomley> > enumeration and the blob and calls the right decoder.  I would be 
James.Bottomley> > okay with that, even if it were part of OpenSSL.  I am opposed to 
James.Bottomley> > guessing and parsing in one step, and would -1 any PR for that, 
James.Bottomley> > forcing a team discussion.
James.Bottomley> 
James.Bottomley> That's not the proposal.  The proposal is to use PEM form because we
James.Bottomley> can make it uniquely self describing using the guard tags which
James.Bottomley> obviates the problem above.

This is a side thread that discusses the 'file' scheme loader in my
STORE effort.  So, uhmmm, we're a bit away from just PEM here.
However, if we go back to the discussion about TSS KEY BLOBs, yeah,
I've only seen a PEM proposal, and that's a muuuuch easier case.

James.Bottomley> On the larger issue of non-self describing formats like ASN.1: if your
James.Bottomley> theory that there's a security hole by allowing opportunistic format
James.Bottomley> detection is correct, simply making the user specify is palming our bug
James.Bottomley> off on to the user and abdicating responsibility because now when
James.Bottomley> they're tricked into an exploit they can be blamed not openssl.  If
James.Bottomley> such a bug exists, doing opportunistic format detection the better
James.Bottomley> guarantor of overall system security because if such a bug is found, it
James.Bottomley> would have to be fixed within openssl to everyone's benefit.

I agree with that sentiment.

-- 
Richard Levitte         levitte at openssl.org
OpenSSL Project         http://www.openssl.org/~levitte/

More information about the openssl-dev mailing list