openssl cms resign with RSA-PSS corrupts the CMS(?)

Alon Bar-Lev alon.barlev at gmail.com
Fri Feb 19 20:44:07 UTC 2021


Hi,

I am trying to analyze openssl sources, and it looks like the resign
is implemented in an naive path that does not handle all cases.

In other words, the CMS resign is not working in any case other than
the default execution path.

For example the -noattr is also not working.

I updated my reproduction project[1] to show all cases of resign that
do not work CMS_NO_ATTR, CMS_KEY_PARAM.

I believe the root cause is that when resign is executed the
CMS_final() is not called and instead the i2d_CMS_bio() is called,
while its logic is incomplete.

I hope this will ring a bell to people who are maintaining the
crypto/cms/* implementation.

Tested [fails] with:
  OpenSSL_1_1_1-stable
  master

Regards,
Alon

[1] https://github.com/alonbl/openssl-cms-pss

On Fri, Feb 19, 2021 at 10:06 PM Alon Bar-Lev <alon.barlev at gmail.com> wrote:
>
> Thanks.
> I managed to narrow this, it is not related to pss also if I pass pkcs1 I can reproduce. It has something to do with CMS_KEY_PARAM flag and add signer.
>
> On Fri, 19 Feb 2021 at 22:03 Thulasi Goriparthi <thulasi.goriparthi at gmail.com> wrote:
>>
>> With PSS,  for the first signature, PSS alg ID and params are encoded correctly, but not for the second signature(resign).
>>
>> 2542:d=7  hl=2 l=   9 prim: OBJECT            :S/MIME Capabilities
>>
>>  2553:d=7  hl=2 l= 108 cons: SET
>>
>>  2555:d=8  hl=2 l= 106 cons: SEQUENCE
>>
>>  2557:d=9  hl=2 l=  11 cons: SEQUENCE
>>
>>  2559:d=10 hl=2 l=   9 prim: OBJECT            :aes-256-cbc
>>
>>  2570:d=9  hl=2 l=  11 cons: SEQUENCE
>>
>>  2572:d=10 hl=2 l=   9 prim: OBJECT            :aes-192-cbc
>>
>>  2583:d=9  hl=2 l=  11 cons: SEQUENCE
>>
>>  2585:d=10 hl=2 l=   9 prim: OBJECT            :aes-128-cbc
>>
>>  2596:d=9  hl=2 l=  10 cons: SEQUENCE
>>
>>  2598:d=10 hl=2 l=   8 prim: OBJECT            :des-ede3-cbc
>>
>>  2608:d=9  hl=2 l=  14 cons: SEQUENCE
>>
>>  2610:d=10 hl=2 l=   8 prim: OBJECT            :rc2-cbc
>>
>>  2620:d=10 hl=2 l=   2 prim: INTEGER           :80
>>
>>  2624:d=9  hl=2 l=  13 cons: SEQUENCE
>>
>>  2626:d=10 hl=2 l=   8 prim: OBJECT            :rc2-cbc
>>
>>  2636:d=10 hl=2 l=   1 prim: INTEGER           :40
>>
>>  2639:d=9  hl=2 l=   7 cons: SEQUENCE
>>
>>  2641:d=10 hl=2 l=   5 prim: OBJECT            :des-cbc
>>
>>  2648:d=9  hl=2 l=  13 cons: SEQUENCE
>>
>>  2650:d=10 hl=2 l=   8 prim: OBJECT            :rc2-cbc
>>
>>  2660:d=10 hl=2 l=   1 prim: INTEGER           :28
>>
>>  2663:d=5  hl=2 l=   0 cons: SEQUENCE
>>
>>  2665:d=5  hl=2 l=   0 prim: OCTET STRING
>>
>>  2667:d=4  hl=4 l= 723 cons: SEQUENCE
>>
>>  2671:d=5  hl=2 l=   1 prim: INTEGER           :01
>>
>>  2674:d=5  hl=3 l= 149 cons: SEQUENCE
>>
>>  2677:d=6  hl=3 l= 143 cons: SEQUENCE
>>
>>  2680:d=7  hl=2 l=  11 cons: SET
>>
>>  2682:d=8  hl=2 l=   9 cons: SEQUENCE
>>
>>  2684:d=9  hl=2 l=   3 prim: OBJECT            :countryName
>>
>>  2689:d=9  hl=2 l=   2 prim: PRINTABLESTRING   :IN
>>
>>  2693:d=7  hl=2 l=  11 cons: SET
>>
>> ==multiple lines truncated==
>>
>> 2949:d=7  hl=2 l=   9 prim: OBJECT            :S/MIME Capabilities
>>
>>  2960:d=7  hl=2 l= 108 cons: SET
>>
>>  2962:d=8  hl=2 l= 106 cons: SEQUENCE
>>
>>  2964:d=9  hl=2 l=  11 cons: SEQUENCE
>>
>>  2966:d=10 hl=2 l=   9 prim: OBJECT            :aes-256-cbc
>>
>>  2977:d=9  hl=2 l=  11 cons: SEQUENCE
>>
>>  2979:d=10 hl=2 l=   9 prim: OBJECT            :aes-192-cbc
>>
>>  2990:d=9  hl=2 l=  11 cons: SEQUENCE
>>
>>  2992:d=10 hl=2 l=   9 prim: OBJECT            :aes-128-cbc
>>
>>  3003:d=9  hl=2 l=  10 cons: SEQUENCE
>>
>>  3005:d=10 hl=2 l=   8 prim: OBJECT            :des-ede3-cbc
>>
>>  3015:d=9  hl=2 l=  14 cons: SEQUENCE
>>
>>  3017:d=10 hl=2 l=   8 prim: OBJECT            :rc2-cbc
>>
>>  3027:d=10 hl=2 l=   2 prim: INTEGER           :80
>>
>>  3031:d=9  hl=2 l=  13 cons: SEQUENCE
>>
>>  3033:d=10 hl=2 l=   8 prim: OBJECT            :rc2-cbc
>>
>>  3043:d=10 hl=2 l=   1 prim: INTEGER           :40
>>
>>  3046:d=9  hl=2 l=   7 cons: SEQUENCE
>>
>>  3048:d=10 hl=2 l=   5 prim: OBJECT            :des-cbc
>>
>>  3055:d=9  hl=2 l=  13 cons: SEQUENCE
>>
>>  3057:d=10 hl=2 l=   8 prim: OBJECT            :rc2-cbc
>>
>>  3067:d=10 hl=2 l=   1 prim: INTEGER           :28
>>
>>  3070:d=5  hl=2 l=  62 cons: SEQUENCE
>>
>>  3072:d=6  hl=2 l=   9 prim: OBJECT            :rsassaPss
>>
>>  3083:d=6  hl=2 l=  49 cons: SEQUENCE
>>
>>  3085:d=7  hl=2 l=  13 cons: cont [ 0 ]
>>
>>  3087:d=8  hl=2 l=  11 cons: SEQUENCE
>>
>>  3089:d=9  hl=2 l=   9 prim: OBJECT            :sha256
>>
>>  3100:d=7  hl=2 l=  26 cons: cont [ 1 ]
>>
>>  3102:d=8  hl=2 l=  24 cons: SEQUENCE
>>
>>  3104:d=9  hl=2 l=   9 prim: OBJECT            :mgf1
>>
>>  3115:d=9  hl=2 l=  11 cons: SEQUENCE
>>
>>  3117:d=10 hl=2 l=   9 prim: OBJECT            :sha256
>>
>>  3128:d=7  hl=2 l=   4 cons: cont [ 2 ]
>>
>>  3130:d=8  hl=2 l=   2 prim: INTEGER           :DE
>>
>>  3134:d=5  hl=4 l= 256 prim: OCTET STRING      [HEX DUMP]:66C7A406905E0BEF3BE8A55B8BA05915020B6960BDE4700C3C3FB2F115FE5BA60B453EFF39BA37E4D16CA3A86582B3057D05875766BE99C51BC5BEC9CD1AAE3BEC34943160BB06784209F1A3773E07A101BA3E2231FDF85FAB91872A081E37410905A09DAF530600BF9099B054B1DF869826E864A95F5D55DAE84A0CEC43E52F6D13574E1EF66A4E3A65883788E265D6C174211ADBCFEA96A9DD186887BFE040D6D0B59547D8763157D322F0307D7AF3123B0ECFB11E1E7EA228861F4363DBA8D478A7E44F1DEB77A3904FBD90CAA41E291A2E094ABCBD5134146FB1C0F42BC8D7B4829DEFEE7BACDFC024FB8B9FAF16F225EB3C96D866C535B2A06E83DCF007
>>
>>
>> Thanks,
>>
>> Thulasi.
>>
>>
>>
>> On Sat, 20 Feb 2021 at 00:40, Alon Bar-Lev <alon.barlev at gmail.com> wrote:
>>>
>>> Thanks!
>>> Was about to write... I tested both 1.1 and master branches and result is the same.
>>>
>>>
>>> On Fri, 19 Feb 2021 at 21:04 Thulasi Goriparthi <thulasi.goriparthi at gmail.com> wrote:
>>>>
>>>> I am able to reproduce this issue with 1.1.1j too.
>>>>
>>>> openssl version -a
>>>>
>>>> OpenSSL 1.1.1j  16 Feb 2021
>>>>
>>>> built on: Fri Feb 19 18:56:06 2021 UTC
>>>>
>>>> platform: darwin64-x86_64-cc
>>>>
>>>> options:  bn(64,64) rc4(16x,int) des(int) idea(int) blowfish(ptr)
>>>>
>>>> compiler: cc -fPIC -arch x86_64 -g -Wall -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -D_REENTRANT -DNDEBUG
>>>>
>>>> OPENSSLDIR: "/usr/local/ssl"
>>>>
>>>> ENGINESDIR: "/usr/local/lib/engines-1.1"
>>>>
>>>> Seeding source: os-specific
>>>>
>>>>
>>>> openssl cms -sign -in msg -text -signer cert1.pem -out 1.cms -keyopt rsa_padding_mode:pss
>>>>
>>>> openssl cms -verify -in 1.cms -CAfile ca.pem
>>>>
>>>> Content-Type: text/plain
>>>>
>>>>
>>>> hello world
>>>>
>>>> Verification successful
>>>>
>>>> openssl cms -resign -in 1.cms -signer cert2.pem -out 2.cms -keyopt rsa_padding_mode:pss
>>>>
>>>> openssl cms -verify -in 2.cms -CAfile ca.pem
>>>>
>>>> Error reading S/MIME message
>>>>
>>>> 4757167552:error:0D078079:asn1 encoding routines:asn1_item_embed_d2i:field missing:crypto/asn1/tasn_dec.c:425:Field=algorithm, Type=X509_ALGOR
>>>>
>>>> 4757167552:error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:crypto/asn1/tasn_dec.c:646:Field=signatureAlgorithm, Type=CMS_SignerInfo
>>>>
>>>> 4757167552:error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:crypto/asn1/tasn_dec.c:615:Field=signerInfos, Type=CMS_SignedData
>>>>
>>>> 4757167552:error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:crypto/asn1/tasn_dec.c:646:
>>>>
>>>> 4757167552:error:0D08403A:asn1 encoding routines:asn1_template_ex_d2i:nested asn1 error:crypto/asn1/tasn_dec.c:496:Field=d.signedData, Type=CMS_ContentInfo
>>>>
>>>> 4757167552:error:0D0D106E:asn1 encoding routines:b64_read_asn1:decode error:crypto/asn1/asn_mime.c:143:
>>>>
>>>> 4757167552:error:0D0D40CC:asn1 encoding routines:SMIME_read_ASN1:asn1 sig parse error:crypto/asn1/asn_mime.c:451:
>>>>
>>>>
>>>> Thanks,
>>>>
>>>> Thulasi.
>>>>
>>>>
>>>> On Sat, 20 Feb 2021 at 00:09, Viktor Dukhovni <openssl-users at dukhovni.org> wrote:
>>>>>
>>>>> On Fri, Feb 19, 2021 at 11:19:42PM +0530, Thulasi Goriparthi wrote:
>>>>>
>>>>> > I am able to reproduce this issue with 1.1.1i
>>>>>
>>>>> OpenSSL 1.1.1j has been released.  Do you still see the problem with
>>>>> 1.1.1j?
>>>>>
>>>>> --
>>>>>     Viktor.


More information about the openssl-users mailing list