Verification of RSA-PSS signed CRLs

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Verification of RSA-PSS signed CRLs

Stathis Deligeorgopoulos
--------------------------------------------------------------
        From: Stathis Deligeorgopoulos <[hidden email]>
          To: [hidden email]
     Subject: Verification of RSA-PSS signed CRLs

Dear all,

I was testing the verification process of RSA-PSS signed CRLs with
BouncyCastle 1.59 and encountered the following weird behaviour:

public static void main(String[] args) throws Exception
     {
         Security.addProvider(new BouncyCastleProvider());

         // Read CRL from file
         byte[] crlRaw = Files.readAllBytes(Paths.get("testCrl.crl"));
         InputStream is = new ByteArrayInputStream(crlRaw);
         CertificateFactory cf = CertificateFactory.getInstance("X.509",
"BC");
         X509CRL crl = (X509CRL) cf.generateCRL(is);

         // Read PublicKey from file
         X509EncodedKeySpec encodedKeySpecPublic = new
X509EncodedKeySpec(Files.readAllBytes(Paths.get("publicKey.x509")));
         KeyFactory keyFactory = KeyFactory.getInstance("RSA");
         PublicKey publicKey =
keyFactory.generatePublic(encodedKeySpecPublic);

         // throws error: java.security.SignatureException: CRL does not
verify with supplied public key.
         crl.verify(publicKey, "BC");

         // works fine, prints true
         Signature verifier =
Signature.getInstance("SHA256withRSAandMGF1", "BC");
         MGF1ParameterSpec mgf1ParameterSpec =  new
MGF1ParameterSpec("SHA-256");
         PSSParameterSpec pssParameterSpec = new
PSSParameterSpec("SHA-256", "MGF1", mgf1ParameterSpec, 20, 1);
         verifier.setParameter(pssParameterSpec);
         verifier.initVerify(publicKey);
         verifier.update(crl.getTBSCertList());

         System.out.println(verifier.verify(crl.getSignature()));
     }

I suspect the problem lies in the
org.bouncycastle.jcajce.provider.asymmetric.x509.X509CRLObject class.
There in the doVerify method, the signature parameters are not added to
the Signature Object.

I also tested the exact same scenario with x509 Certificates and there
both verification ways work as expected.

All this was tested with BC 1.59 and Java 1.8.

Best Regards

Stathis Deligeorgopoulos
  --------------------------------------------------------------

Reply | Threaded
Open this post in threaded view
|

HA: [dev-crypto] Verification of RSA-PSS signed CRLs

Vasilij A Burmistrov
Hi, Stathis and All!

I have wrote about support RSASSA-PSS PKCS #1 Version 2.1 signature algorithm. in BC.
Take a look at my letter with subject "Feedback and solution to support RSASSA-PSS" below.

Stathis, you have discribed the same problem, but with CRLs.

I have a question for the community. How can we incorporate useful changes into new release of BC? Or who responsible for that?

Thank you!

Best Regards,
Vasiliy Burmistrov
vburmistrov@...
vburmistrov80@...

От:        Vasilij A Burmistrov/alfa-bank
Кому:        [hidden email]
Дата:        09.04.2018 16:33
Тема:        Feedback and solution to support RSASSA-PSS



Hello!

I use Bouncy Castle library in my various tasks on Java.
Bouncy Castle library is awesome! Thank You for your great job!

I faced the issue several days ago.
We have Microsoft CA Server with  root and sub certificates based on RSASSA-PSS PKCS #1 Version 2.1 signature algorithm.
Of cause, clients certificates, issued by this CA have the same algorithm.
I have read this https://pkisolutions.com/pkcs1v2-1rsassa-pss/ about PKCS #1 Version 2.1, but migration of CA to RSAwithSHA with re-issue certificates is impossible for now.
Task is to build certifications path. I found this topic with the same question: http://bouncy-castle.1462172.n4.nabble.com/Using-RSASSA-PSS-signature-algorithm-to-verify-a-certificate-in-Java-td4658632.html

  Method  cert.verify(key) throws <a href="eclipse-javadoc:%E2%98%82=trustcorersa_wild/C:%5C/Program%20Files%5C/Java%5C/jdk1.8.0_111%5C/jre%5C/lib%5C/rt.jar%3Cjava">java.<a href="eclipse-javadoc:%E2%98%82=trustcorersa_wild/C:%5C/Program%20Files%5C/Java%5C/jdk1.8.0_111%5C/jre%5C/lib%5C/rt.jar%3Cjava.security">security.SignatureException on RSASSA-PSS certificates

I use this code to verify cert:

Signature signature = Signature.getInstance(RSASSA_PSS, BC);
                signature.setParameter(new PSSParameterSpec(SHA_512, MGF1,
                        new MGF1ParameterSpec(SHA_512), 64, 1));
                signature.initVerify(cert.getPublicKey());
                signature.update(cert.getTBSCertificate());
                return signature.verify(cert.getSignature());

And it work. But it is only one third of the solution. Because SUN provider and BC use cert.verify(key) in their CertPathBuilder implementations.

I took source of bcprov-ext-jdk15on_1.59 and made the following changes in <a href="eclipse-javadoc:%E2%98%82=trustcorersa_wild/src%5C/main%5C/java%3Corg">org.<a href="eclipse-javadoc:%E2%98%82=trustcorersa_wild/src%5C/main%5C/java%3Corg.bouncycastle">bouncycastle.<a href="eclipse-javadoc:%E2%98%82=trustcorersa_wild/src%5C/main%5C/java%3Corg.bouncycastle.jce">jce.<a href="eclipse-javadoc:%E2%98%82=trustcorersa_wild/src%5C/main%5C/java%3Corg.bouncycastle.jce.provider">provider.CertPathValidatorUtilities
        Method  protected static void verifyX509Certificate(X509Certificate cert, PublicKey publicKey,
            String sigProvider)
            throws GeneralSecurityException

Then I built bcprov-ext-jdk15on-1.59-hotfix.jar,
naturally already without electronic signature on jar from Bouncy Castle.


I added this bcprov-ext-jdk15on-1.59-hotfix.jar to my project and it started to build certification path from client to trust anchor.

CertPathBuilder builder = CertPathBuilder.getInstance("PKIX", "BC");        
        PKIXCertPathBuilderResult result = (PKIXCertPathBuilderResult) builder.build(pkixParams);

It WORKS!

I have put edited <a href="eclipse-javadoc:%E2%98%82=trustcorersa_wild/src%5C/main%5C/java%3Corg">org.<a href="eclipse-javadoc:%E2%98%82=trustcorersa_wild/src%5C/main%5C/java%3Corg.bouncycastle">bouncycastle.<a href="eclipse-javadoc:%E2%98%82=trustcorersa_wild/src%5C/main%5C/java%3Corg.bouncycastle.jce">jce.<a href="eclipse-javadoc:%E2%98%82=trustcorersa_wild/src%5C/main%5C/java%3Corg.bouncycastle.jce.provider">provider.CertPathValidatorUtilities to GitHub https://github.com/VBurmistrov/Bouncy-Castle-RSASSA-PSS-PKCS-1-Version-2.1-
See verifyWithRSASSA_PSS method.

Could you please provide me some answers.

Do you know about this issue with PKCS #1 Version 2.1?
Have you planned to add support this algorithm  in your  PKIXCertPathBuilder implementation?
Could you take my solution with some your own edits to bring more universality in new version of library?
For example, <a href="eclipse-javadoc:%E2%98%82=trustcorersa_wild/C:%5C/Program%20Files%5C/Java%5C/jdk1.8.0_111%5C/jre%5C/lib%5C/rt.jar%3Cjava.security.spec(PSSParameterSpec.class%E2%98%83PSSParameterSpec~PSSParameterSpec~Ljava.lang.String;~Ljava.lang.String;~Ljava.security.spec.AlgorithmParameterSpec;~I~I%E2%98%82java.lang.String">String mdName and int saltLen  parameters for  <a href="eclipse-javadoc:%E2%98%82=trustcorersa_wild/C:%5C/Program%20Files%5C/Java%5C/jdk1.8.0_111%5C/jre%5C/lib%5C/rt.jar%3Cjava">java.<a href="eclipse-javadoc:%E2%98%82=trustcorersa_wild/C:%5C/Program%20Files%5C/Java%5C/jdk1.8.0_111%5C/jre%5C/lib%5C/rt.jar%3Cjava.security">security.<a href="eclipse-javadoc:%E2%98%82=trustcorersa_wild/C:%5C/Program%20Files%5C/Java%5C/jdk1.8.0_111%5C/jre%5C/lib%5C/rt.jar%3Cjava.security.spec">spec.<a href="eclipse-javadoc:%E2%98%82=trustcorersa_wild/C:%5C/Program%20Files%5C/Java%5C/jdk1.8.0_111%5C/jre%5C/lib%5C/rt.jar%3Cjava.security.spec(PSSParameterSpec.class%E2%98%83PSSParameterSpec">PSSParameterSpec.PSSParameterSpec   can be made customizable.

I wrote to [hidden email] but did not get an answer.
 
Thank you!

Best Regards,
Vasiliy Burmistrov
vburmistrov@...
vburmistrov80@...


Stathis Deligeorgopoulos <[hidden email]> написано 08.05.2018 15:40:28:

> От: Stathis Deligeorgopoulos <[hidden email]>

> Кому: [hidden email]
> Дата: 08.05.2018 15:40
> Тема: [dev-crypto] Verification of RSA-PSS signed CRLs
>
> --------------------------------------------------------------
>         From: Stathis Deligeorgopoulos <[hidden email]>
>           To: [hidden email]
>      Subject: Verification of RSA-PSS signed CRLs
>
> Dear all,
>
> I was testing the verification process of RSA-PSS signed CRLs with
> BouncyCastle 1.59 and encountered the following weird behaviour:
>
> public static void main(String[] args) throws Exception
>      {
>          Security.addProvider(new BouncyCastleProvider());
>
>          // Read CRL from file
>          byte[] crlRaw = Files.readAllBytes(Paths.get("testCrl.crl"));
>          InputStream is = new ByteArrayInputStream(crlRaw);
>          CertificateFactory cf = CertificateFactory.getInstance("X.509",
> "BC");
>          X509CRL crl = (X509CRL) cf.generateCRL(is);
>
>          // Read PublicKey from file
>          X509EncodedKeySpec encodedKeySpecPublic = new
> X509EncodedKeySpec(Files.readAllBytes(Paths.get("publicKey.x509")));
>          KeyFactory keyFactory = KeyFactory.getInstance("RSA");
>          PublicKey publicKey =
> keyFactory.generatePublic(encodedKeySpecPublic);
>
>          // throws error: java.security.SignatureException: CRL does not
> verify with supplied public key.
>          crl.verify(publicKey, "BC");
>
>          // works fine, prints true
>          Signature verifier =
> Signature.getInstance("SHA256withRSAandMGF1", "BC");
>          MGF1ParameterSpec mgf1ParameterSpec =  new
> MGF1ParameterSpec("SHA-256");
>          PSSParameterSpec pssParameterSpec = new
> PSSParameterSpec("SHA-256", "MGF1", mgf1ParameterSpec, 20, 1);
>          verifier.setParameter(pssParameterSpec);
>          verifier.initVerify(publicKey);
>          verifier.update(crl.getTBSCertList());
>
>          System.out.println(verifier.verify(crl.getSignature()));
>      }
>
> I suspect the problem lies in the
> org.bouncycastle.jcajce.provider.asymmetric.x509.X509CRLObject class.
> There in the doVerify method, the signature parameters are not added to
> the Signature Object.
>
> I also tested the exact same scenario with x509 Certificates and there
> both verification ways work as expected.
>
> All this was tested with BC 1.59 and Java 1.8.
>
> Best Regards
>
> Stathis Deligeorgopoulos
>   --------------------------------------------------------------
>
Reply | Threaded
Open this post in threaded view
|

Re: HA: [dev-crypto] Verification of RSA-PSS signed CRLs

David Hook-3

Sorry about that, I have found your email so we definitely got it. We do try to follow up on everything that goes to feedback crypto, but if things are busy, crazy, or both, it can get missed.

With the PSS issue try: https://www.bouncycastle.org/betas

You want 160b05 or later.

With reporting issues, for things like this the best approach is to list it on github - that way it will keep reminding us. If it's likely to be a security issue, or is something you can't list publicly for other reasons use [hidden email]

If you really do need things done in a timely fashion though, I would recommend getting a support contract. We can at least offer an SLA if you have one of those.

Let me know how you go with the beta.

Thanks,

David

On 08/05/18 23:11, Vasilij A Burmistrov wrote:
Hi, Stathis and All!

I have wrote about support RSASSA-PSS PKCS #1 Version 2.1 signature algorithm. in BC.
Take a look at my letter with subject "Feedback and solution to support RSASSA-PSS" below.

Stathis, you have discribed the same problem, but with CRLs.

I have a question for the community. How can we incorporate useful changes into new release of BC? Or who responsible for that?

Thank you!

Best Regards,
Vasiliy Burmistrov
[hidden email]
[hidden email]

От:        Vasilij A Burmistrov/alfa-bank
Кому:        [hidden email]
Дата:        09.04.2018 16:33
Тема:        Feedback and solution to support RSASSA-PSS



Hello!

I use Bouncy Castle library in my various tasks on Java.
Bouncy Castle library is awesome! Thank You for your great job!

I faced the issue several days ago.
We have Microsoft CA Server with  root and sub certificates based on RSASSA-PSS PKCS #1 Version 2.1 signature algorithm.
Of cause, clients certificates, issued by this CA have the same algorithm.
I have read this https://pkisolutions.com/pkcs1v2-1rsassa-pss/ about PKCS #1 Version 2.1, but migration of CA to RSAwithSHA with re-issue certificates is impossible for now.
Task is to build certifications path. I found this topic with the same question: http://bouncy-castle.1462172.n4.nabble.com/Using-RSASSA-PSS-signature-algorithm-to-verify-a-certificate-in-Java-td4658632.html

  Method  cert.verify(key) throws <a href="eclipse-javadoc:%E2%98%82=trustcorersa_wild/C:%5C/Program%20Files%5C/Java%5C/jdk1.8.0_111%5C/jre%5C/lib%5C/rt.jar%3Cjava" moz-do-not-send="true">java.<a href="eclipse-javadoc:%E2%98%82=trustcorersa_wild/C:%5C/Program%20Files%5C/Java%5C/jdk1.8.0_111%5C/jre%5C/lib%5C/rt.jar%3Cjava.security" moz-do-not-send="true">security.SignatureException on RSASSA-PSS certificates

I use this code to verify cert:

Signature signature = Signature.getInstance(RSASSA_PSS, BC);
                signature.setParameter(new PSSParameterSpec(SHA_512, MGF1,
                        new MGF1ParameterSpec(SHA_512), 64, 1));
                signature.initVerify(cert.getPublicKey());
                signature.update(cert.getTBSCertificate());
                return signature.verify(cert.getSignature());

And it work. But it is only one third of the solution. Because SUN provider and BC use cert.verify(key) in their CertPathBuilder implementations.

I took source of bcprov-ext-jdk15on_1.59 and made the following changes in <a href="eclipse-javadoc:%E2%98%82=trustcorersa_wild/src%5C/main%5C/java%3Corg" moz-do-not-send="true">org.<a href="eclipse-javadoc:%E2%98%82=trustcorersa_wild/src%5C/main%5C/java%3Corg.bouncycastle" moz-do-not-send="true">bouncycastle.<a href="eclipse-javadoc:%E2%98%82=trustcorersa_wild/src%5C/main%5C/java%3Corg.bouncycastle.jce" moz-do-not-send="true">jce.<a href="eclipse-javadoc:%E2%98%82=trustcorersa_wild/src%5C/main%5C/java%3Corg.bouncycastle.jce.provider" moz-do-not-send="true">provider.CertPathValidatorUtilities
        Method  protected static void verifyX509Certificate(X509Certificate cert, PublicKey publicKey,
            String sigProvider)
            throws GeneralSecurityException

Then I built bcprov-ext-jdk15on-1.59-hotfix.jar,
naturally already without electronic signature on jar from Bouncy Castle.


I added this bcprov-ext-jdk15on-1.59-hotfix.jar to my project and it started to build certification path from client to trust anchor.

CertPathBuilder builder = CertPathBuilder.getInstance("PKIX", "BC");        
        PKIXCertPathBuilderResult result = (PKIXCertPathBuilderResult) builder.build(pkixParams);

It WORKS!

I have put edited <a href="eclipse-javadoc:%E2%98%82=trustcorersa_wild/src%5C/main%5C/java%3Corg" moz-do-not-send="true">org.<a href="eclipse-javadoc:%E2%98%82=trustcorersa_wild/src%5C/main%5C/java%3Corg.bouncycastle" moz-do-not-send="true">bouncycastle.<a href="eclipse-javadoc:%E2%98%82=trustcorersa_wild/src%5C/main%5C/java%3Corg.bouncycastle.jce" moz-do-not-send="true">jce.<a href="eclipse-javadoc:%E2%98%82=trustcorersa_wild/src%5C/main%5C/java%3Corg.bouncycastle.jce.provider" moz-do-not-send="true">provider.CertPathValidatorUtilities to GitHub https://github.com/VBurmistrov/Bouncy-Castle-RSASSA-PSS-PKCS-1-Version-2.1-
See verifyWithRSASSA_PSS method.

Could you please provide me some answers.

Do you know about this issue with PKCS #1 Version 2.1?
Have you planned to add support this algorithm  in your  PKIXCertPathBuilder implementation?
Could you take my solution with some your own edits to bring more universality in new version of library?
For example, <a href="eclipse-javadoc:%E2%98%82=trustcorersa_wild/C:%5C/Program%20Files%5C/Java%5C/jdk1.8.0_111%5C/jre%5C/lib%5C/rt.jar%3Cjava.security.spec%28PSSParameterSpec.class%E2%98%83PSSParameterSpec%7EPSSParameterSpec%7ELjava.lang.String;%7ELjava.lang.String;%7ELjava.security.spec.AlgorithmParameterSpec;%7EI%7EI%E2%98%82java.lang.String" moz-do-not-send="true">String mdName and int saltLen  parameters for  <a href="eclipse-javadoc:%E2%98%82=trustcorersa_wild/C:%5C/Program%20Files%5C/Java%5C/jdk1.8.0_111%5C/jre%5C/lib%5C/rt.jar%3Cjava" moz-do-not-send="true">java.<a href="eclipse-javadoc:%E2%98%82=trustcorersa_wild/C:%5C/Program%20Files%5C/Java%5C/jdk1.8.0_111%5C/jre%5C/lib%5C/rt.jar%3Cjava.security" moz-do-not-send="true">security.<a href="eclipse-javadoc:%E2%98%82=trustcorersa_wild/C:%5C/Program%20Files%5C/Java%5C/jdk1.8.0_111%5C/jre%5C/lib%5C/rt.jar%3Cjava.security.spec" moz-do-not-send="true">spec.<a href="eclipse-javadoc:%E2%98%82=trustcorersa_wild/C:%5C/Program%20Files%5C/Java%5C/jdk1.8.0_111%5C/jre%5C/lib%5C/rt.jar%3Cjava.security.spec%28PSSParameterSpec.class%E2%98%83PSSParameterSpec" moz-do-not-send="true">PSSParameterSpec.PSSParameterSpec   can be made customizable.

I wrote to [hidden email] but did not get an answer.
 
Thank you!

Best Regards,
Vasiliy Burmistrov
[hidden email]
[hidden email]


Stathis Deligeorgopoulos [hidden email] написано 08.05.2018 15:40:28:

> От: Stathis Deligeorgopoulos [hidden email]

> Кому: [hidden email]
> Дата: 08.05.2018 15:40
> Тема: [dev-crypto] Verification of RSA-PSS signed CRLs
>
> --------------------------------------------------------------
>         From: Stathis Deligeorgopoulos [hidden email]
>           To: [hidden email]
>      Subject: Verification of RSA-PSS signed CRLs
>
> Dear all,
>
> I was testing the verification process of RSA-PSS signed CRLs with
> BouncyCastle 1.59 and encountered the following weird behaviour:
>
> public static void main(String[] args) throws Exception
>      {
>          Security.addProvider(new BouncyCastleProvider());
>
>          // Read CRL from file
>          byte[] crlRaw = Files.readAllBytes(Paths.get("testCrl.crl"));
>          InputStream is = new ByteArrayInputStream(crlRaw);
>          CertificateFactory cf = CertificateFactory.getInstance("X.509",
> "BC");
>          X509CRL crl = (X509CRL) cf.generateCRL(is);
>
>          // Read PublicKey from file
>          X509EncodedKeySpec encodedKeySpecPublic = new
> X509EncodedKeySpec(Files.readAllBytes(Paths.get("publicKey.x509")));
>          KeyFactory keyFactory = KeyFactory.getInstance("RSA");
>          PublicKey publicKey =
> keyFactory.generatePublic(encodedKeySpecPublic);
>
>          // throws error: java.security.SignatureException: CRL does not
> verify with supplied public key.
>          crl.verify(publicKey, "BC");
>
>          // works fine, prints true
>          Signature verifier =
> Signature.getInstance("SHA256withRSAandMGF1", "BC");
>          MGF1ParameterSpec mgf1ParameterSpec =  new
> MGF1ParameterSpec("SHA-256");
>          PSSParameterSpec pssParameterSpec = new
> PSSParameterSpec("SHA-256", "MGF1", mgf1ParameterSpec, 20, 1);
>          verifier.setParameter(pssParameterSpec);
>          verifier.initVerify(publicKey);
>          verifier.update(crl.getTBSCertList());
>
>          System.out.println(verifier.verify(crl.getSignature()));
>      }
>
> I suspect the problem lies in the
> org.bouncycastle.jcajce.provider.asymmetric.x509.X509CRLObject class.
> There in the doVerify method, the signature parameters are not added to
> the Signature Object.
>
> I also tested the exact same scenario with x509 Certificates and there
> both verification ways work as expected.
>
> All this was tested with BC 1.59 and Java 1.8.
>
> Best Regards
>
> Stathis Deligeorgopoulos
>   --------------------------------------------------------------
>