Thunderbird S/MIME should support RSA-PSS
Categories
(MailNews Core :: Security: S/MIME, enhancement)
Tracking
(Not tracked)
People
(Reporter: KaiE, Unassigned)
References
(Depends on 1 open bug)
Details
Attachments
(2 files)
karen_pss.jpg
|
||
Updated•2 years ago
|
|
||
Comment 1•1 year ago
|
||
"RSA Signature Scheme with Appendix - Probabilistic Signature Scheme (RSASSA-PSS)"
I made a script that creates RSASSA-PSS signed emails. Th. can verify such emails.
Steps to Reproduce:
- make a self-signed cert (root+user bug#1523130#c8), import
.p12file, OR:
1a. import self-signed cert (root+user) from sb:
1b. "Authorities" tab → "Import..." →root.crt→ "Trust this..."
1c. "People" tab → "Import..." →user.crt - create simple e-mail messages (headers, etc. low level stuff), see: bug#1011625#c20
2a. create a "palette" of algorithms that we will test: -md sha1→sha512, rsa_pss_saltlen:default→custom
2b. glue parts from openssl .p7m with email headers to .eml files - create folder "tests" in "Local Folders", see: bug#1806122, bug#1688163
- open
signedData/RSA_sha256_opaque.eml
4a. "Copy To" → "Local Folders" → "tests" - open
signedData/rsassaPss_sha256_opaque.eml
5a. "Copy To" → "Local Folders" → "tests" - open first email (from "Local Folders")
RSA_sha256_opaque.eml→ [verification OK] - open second email
rsassaPss_sha256_opaque.eml→ [verification OK]
7a. "Message Is Signed" - modify base64 code of the file
rsassaPss_sha256_opaque.emland import it to local folder, Th. shows:
8a. "Digital Signature Is Not Valid" → [ OK ]
Actual results:
Th. can verify RSASSA-PSS signed emails.
Expected Results:
Th. can create and verify RSASSA-PSS signed emails.
How to enable the user to sign with RSASSA-PSS algorithm? Before sending a message / in main settings "Privacy & Security" / hidden in "Config Editor"? This option shouldn't be enabled by default.
Outlook2013 can't verify such emails, eM Client can.
rfc8017#section-8 :
Two signature schemes with appendix are specified in this document:
RSASSA-PSS and RSASSA-PKCS1-v1_5. Although no attacks are known
against RSASSA-PKCS1-v1_5, in the interest of increased robustness,
RSASSA-PSS is REQUIRED in new applications. RSASSA-PKCS1-v1_5 is
included only for compatibility with existing applications.
https://github.com/cabforum/smime/blob/main/SBR.md#71311-rsa
SMIME BR's prohibits the use of RSASSA-PSS signed certificates, but their support would be a nice-to-have feature (Th. doesn't support them). The script creates regular RSA rsaEncryption (1.2.840.113549.1.1.1) signed certificates, but for testing you can make RSASSA-PSS. Relevant lines: ROOT #49 and #104, USER #114 and #170. When we have a certificate, say, RSASSA-PSS sha256, we can create signed e-mails RSASSA-PSS sha256 only (I tested it).
Standards
rfc3447/rfc8017
X.509 certificates: rfc4055, rfc5756, rfc6664#section-2.2
cms: rfc3852/rfc5652
RSASSA-PSS in cms: rfc4056
other: rfc8551#section-4.2
similar: bug#222179, bug#136289, bug#205546
related to the script (pgp keys attachment method, p7c): bug#545501, bug#540500
Links:
https://www.cs.ucdavis.edu/~rogaway/papers/exact.pdf
https://eprint.iacr.org/2001/062.pdf
https://eprint.iacr.org/2001/053
--
User-Agent:
Thunderbird 102.11.0 (64-bit), Windows 10
Reproducible: Always
|
|
||
Comment 2•1 year ago
|
||
|
|
||
Comment 3•1 year ago
|
||
@KaiE
@leszek.zablocki
SMIME BR's prohibits the use of RSASSA-PSS signed certificates, but their support would be a nice-to-have feature (Th. doesn't support them).
This might have changed or there's a misunderstanding. The SBR you've linked (https://github.com/cabforum/smime/blob/main/SBR.md#71321-rsa) says "The CA SHALL use one of the following signature algorithms and encodings." and that list includes RSASSA-PSS with SHA-256/384/512. It's just that any other identifier besides rsaEncryption (OID: 1.2.840.113549.1.1.1) should not be used to indicate an RSA key.
I made a script that creates RSASSA-PSS signed emails. Th. can verify such emails.
I can't confirm that. I've created two messages using OpenSSL+endesive, one being RSA-PSS. TB does not seem to verify RSA-PSS signatures correctly.
Both of the signatures verify with OpenSSL (cms utility), when comparing signature structure the only difference is in the signature itself (keys are algorithm: rsaEncryption in both cases):
< algorithm: rsaEncryption (1.2.840.113549.1.1.1)
< parameter: NULL
---
> algorithm: rsassaPss (1.2.840.113549.1.1.10)
> parameter: SEQUENCE:
|
|
||
Comment 5•7 months ago
|
||
See:
"Karen Griffin"
make_RSASSA-PSS_emails/signedData/print_dump/rsassaPss_sha256_opaque.txt
signatureAlgorithm:
algorithm: rsassaPss (1.2.840.113549.1.1.10)
parameter: SEQUENCE:
0:d=0 hl=2 l= 48 cons: SEQUENCE
2:d=1 hl=2 l= 13 cons: cont [ 0 ]
4:d=2 hl=2 l= 11 cons: SEQUENCE
6:d=3 hl=2 l= 9 prim: OBJECT :sha256
17:d=1 hl=2 l= 26 cons: cont [ 1 ]
19:d=2 hl=2 l= 24 cons: SEQUENCE
21:d=3 hl=2 l= 9 prim: OBJECT :mgf1
32:d=3 hl=2 l= 11 cons: SEQUENCE
34:d=4 hl=2 l= 9 prim: OBJECT :sha256
45:d=1 hl=2 l= 3 cons: cont [ 2 ]
47:d=2 hl=2 l= 1 prim: INTEGER :20
This might have changed
likely yes
Some time ago, I wrote a script that creates RSASSA-PSS certificates, but I have not tested them in Th. See:
"Phillip Runaway"
https://github.com/zablockil/enc/blob/main/smime/standalone/rsassaPss/standalone_RSA-PSS_single-key.sh
From what I remember, the following certificate is created with default settings:
https://github.com/cabforum/smime/blob/main/SBR.md#71321-rsa
RSASSA-PSS with SHA-256, MGF-1 with SHA-256, and a salt length of 32 bytes:
Encoding:
304106092a864886f70d01010a3034a00f300d0609608648016503040201
0500a11c301a06092a864886f70d010108300d0609608648016503040201
0500a203020120
If you want to test these scripts, they work on Windows too (you need to install MSYS2 [UCRT64]).
|
|
||
Comment 6•7 months ago
|
||
Ahh, to verify the certificate (hex "Encoding"), first convert the certificate to DER:
openssl x509 -in cert_user.crt -outform DER -out cert_user.der
And then check in any of the programs:
basenc --base16 cert_user.der
or
hexdump -Cv cert_user.der
Description
•