CMS Signed Data verification fails

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

CMS Signed Data verification fails

Wolfgang Bauer
Hi,

we are encountering a problem when verifying a CMS signature (SignedData containing Signed Attributes). 
When parsing the SignerInfo structure the follwing code is used inside the library : 

authenticatedAttributes = ASN1Set.getInstance((ASN1TaggedObject)obj, false);


During signature verification 

SignerInformation.doVerify(…) 

the signed Attribute set gets sorted (when calling getEncodedSignedAttributes) and therefore the verification fails (when sort orders differ).

This issue still exists in the latest 1.65 release.

Should I create a new issue on github, or is this the right place to discuss this topic?

Regards
Wolfgang


Reply | Threaded
Open this post in threaded view
|

Re: CMS Signed Data verification fails

Peter Dettman-3
Hi Wolfgang,

"when sort orders differ" - the sort order for an ASN.1 SET in DER
encoding is a fixed canonical ordering, which is why it's used as the
input for the signature. A signature over a different ordering would be
invalid.

How was the SignedData generated?

Regards,
Pete Dettman


On 7/4/20 2:41 pm, Wolfgang Bauer wrote:

> Hi,
>
> we are encountering a problem when verifying a CMS signature (SignedData
> containing Signed Attributes). 
> When parsing the SignerInfo structure the follwing code is used inside
> the library : 
>
> authenticatedAttributes = ASN1Set.getInstance((ASN1TaggedObject)obj,
> *false*);
>
>
> During signature verification 
>
> SignerInformation.doVerify(…) 
>
> the signed Attribute set gets sorted (when calling
> getEncodedSignedAttributes) and therefore the verification fails (when
> sort orders differ).
>
> This issue still exists in the latest 1.65 release.
>
> Should I create a new issue on github, or is this the right place to
> discuss this topic?
>
> Regards
> Wolfgang
>
>


Reply | Threaded
Open this post in threaded view
|

Re: CMS Signed Data verification fails

Wolfgang Bauer
Hi Pete,

thanks for your quick response. The SignedData is part of a PDF (PADES) signature and according to Adobe Acrobat Reader (and other tools) the signature is valid.
All these tools seem to keep the ordering as read from the DER encoding.
Although this approach might not be 100% correct, it improves interop.

Do you see any chance to skip the ordering step in bc without patching the library?

Thanks
Wolfgang





On Tue, 2020-04-07 at 16:02 +0700, Peter Dettman wrote:
Hi Wolfgang,

"when sort orders differ" - the sort order for an ASN.1 SET in DER
encoding is a fixed canonical ordering, which is why it's used as the
input for the signature. A signature over a different ordering would be
invalid.

How was the SignedData generated?

Regards,
Pete Dettman


On 7/4/20 2:41 pm, Wolfgang Bauer wrote:
Hi,

we are encountering a problem when verifying a CMS signature (SignedData
containing Signed Attributes). 
When parsing the SignerInfo structure the follwing code is used inside
the library : 

authenticatedAttributes = ASN1Set.getInstance((ASN1TaggedObject)obj,
*false*);


During signature verification 

SignerInformation.doVerify(…) 

the signed Attribute set gets sorted (when calling
getEncodedSignedAttributes) and therefore the verification fails (when
sort orders differ).

This issue still exists in the latest 1.65 release.

Should I create a new issue on github, or is this the right place to
discuss this topic?

Regards
Wolfgang





Reply | Threaded
Open this post in threaded view
|

Re: CMS Signed Data verification fails

Peter Dettman-3
Take a look at how MyRightSignerInformation is used in the CMS
NewSignedDataTest:


https://github.com/bcgit/bc-java/blob/master/pkix/src/test/java/org/bouncycastle/cms/test/NewSignedDataTest.java#L1341

It will allow you to override the effective encoding used for a
signature verification.

Don't forget to also still check signatures against the correct encoding!

Regards,
Pete Dettman


On 7/4/20 5:36 pm, Wolfgang Bauer wrote:

> Hi Pete,
>
> thanks for your quick response. The SignedData is part of a PDF (PADES)
> signature and according to Adobe Acrobat Reader (and other tools) the
> signature is valid.
> All these tools seem to keep the ordering as read from the DER encoding.
> Although this approach might not be 100% correct, it improves interop.
>
> Do you see any chance to skip the ordering step in bc without patching
> the library?
>
> Thanks
> Wolfgang
>
> On Tue, 2020-04-07 at 16:02 +0700, Peter Dettman wrote:
>> Hi Wolfgang,
>>
>> "when sort orders differ" - the sort order for an ASN.1 SET in DER
>> encoding is a fixed canonical ordering, which is why it's used as the
>> input for the signature. A signature over a different ordering would be
>> invalid.
>>
>> How was the SignedData generated?
>>
>> Regards,
>> Pete Dettman