GPG Signature Verification

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

GPG Signature Verification

Paul Taukatch-2

Hello and thank you for taking the time to help out!

I am developing my own implementation of the PGP specification and have a question regarding the signature generation/verification for Transferable Public Keys that maybe one of you could help shed some light on. Currently I create a single primary RSA key and userID and bind the two with a certification self-signature (0x13). When importing this certificate into GPG I get a a signature verification failure which prevents the certificate from importing.

I've read through the rfc4880, 5.2.4 - Computing Signatures section quite thoroughly and believe I am generating the signature properly - Signing the Hash context of the primary key + user ID + signature data (V4).

One thing I notice in the debug info is that the first several few bytes of the rsa_verify data and rsa_verify cmp do not match.

DBG: rsa_verify <a href="data:+01ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff">data:+01ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
DBG: ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
DBG: ffffffffffffffffffffff003031300d06096086480165030402010500042007 \
DBG: 3d952c71b2d7c2c945c60f828f087e1d517774f84fe30825f18709659466e7

DBG: rsa_verify cmp:+01ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
DBG: ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff \
DBG: ffffffffffffffffffffffffff00302f300b0609608648016503040201042007 \
DBG: 3d952c71b2d7c2c945c60f828f087e1d517774f84fe30825f18709659466e7

Does anyone know exactly what this verify data is comprised of? I notice that the hash of the (Primary Key + UserID + Signature Data hash context) = 073D952C71B2D7C2C945C60F828F087E1D517774F84FE30825F18709659466E7 which seems to match for both the verify data and cmp.

I've attached my public key and debug log but please let me know if there is any other information that might be helpful.

(See attached file: exportZPGPTest.bin)(See attached file: debug.txt)

Thanks Again!


_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users


exportZPGPTest.bin (672 bytes) Download Attachment
debug.txt (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: GPG Signature Verification

Kristian Fiskerstrand-6
On 04/20/2017 09:17 PM, Paul Taukatch wrote:
> I've attached my public key and debug log but please let me know if there
> is any other information that might be helpful.

The first reference that springs to mind is [RFC4880] Section 5.2.4.
Computing Signatures

References:
[RFC4880]
https://tools.ietf.org/rfc/rfc4880.txt
--
----------------------------
Kristian Fiskerstrand
Blog: https://blog.sumptuouscapital.com
Twitter: @krifisk
----------------------------
Public OpenPGP keyblock at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
----------------------------
"By three methods we may learn wisdom: First, by reflection, which is
noblest; Second, by imitation, which is easiest; and third by
experience, which is the bitterest."
(Confucius)


_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

signature.asc (499 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: GPG Signature Verification

Kristian Fiskerstrand-6
On 04/21/2017 09:16 AM, Kristian Fiskerstrand wrote:
> On 04/20/2017 09:17 PM, Paul Taukatch wrote:
>> I've attached my public key and debug log but please let me know if there
>> is any other information that might be helpful.
>
> The first reference that springs to mind is [RFC4880] Section 5.2.4.
> Computing Signatures

Of course you already mentioned this in your initial email :) Looks
correct to me.


--
----------------------------
Kristian Fiskerstrand
Blog: https://blog.sumptuouscapital.com
Twitter: @krifisk
----------------------------
Public OpenPGP keyblock at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
----------------------------
"If your kids are giving you a headache, follow the directions on the
aspirin bottle, especially the part that says "keep away from children."
(Neil McElroy)


_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

signature.asc (499 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: GPG Signature Verification

Paul Taukatch-2

Appreciate the feedback but I have indeed reread the RFC specification quite thoroughly and still can't seem to figure out the issue. Don't mean to spam the mailing list but is there any chance someone might have a bit more insight into this. Quite stumped!

Thanks,
Paul Taukatch
Advanced Technologies Team / zOS Cloud Crypto


Inactive hide details for Kristian Fiskerstrand ---04/21/2017 06:29:33 AM---On 04/21/2017 09:16 AM, Kristian Fiskerstrand wroteKristian Fiskerstrand ---04/21/2017 06:29:33 AM---On 04/21/2017 09:16 AM, Kristian Fiskerstrand wrote: > On 04/20/2017 09:17 PM, Paul Taukatch wrote:

From: Kristian Fiskerstrand <[hidden email]>
To: Paul Taukatch/Poughkeepsie/IBM@IBMUS, [hidden email]
Date: 04/21/2017 06:29 AM
Subject: Re: GPG Signature Verification





On 04/21/2017 09:16 AM, Kristian Fiskerstrand wrote:
> On 04/20/2017 09:17 PM, Paul Taukatch wrote:
>> I've attached my public key and debug log but please let me know if there
>> is any other information that might be helpful.
>
> The first reference that springs to mind is [RFC4880] Section 5.2.4.
> Computing Signatures

Of course you already mentioned this in your initial email :) Looks
correct to me.


--
----------------------------
Kristian Fiskerstrand
Blog:
https://blog.sumptuouscapital.com
Twitter: @krifisk
----------------------------
Public OpenPGP keyblock at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
----------------------------
"If your kids are giving you a headache, follow the directions on the
aspirin bottle, especially the part that says "keep away from children."
(Neil McElroy)

[attachment "signature.asc" deleted by Paul Taukatch/Poughkeepsie/IBM]



_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: GPG Signature Verification

Peter Lebbing
In reply to this post by Paul Taukatch-2
On 20/04/17 21:17, Paul Taukatch wrote:
> Does anyone know exactly what this verify data is comprised of?

"data" seems to be correct: it is an EMSA-PKCS1-v1_5 encoded RSA SHA-256
signature. As RFC 3447 states:

EM = 0x00 || 0x01 || PS || 0x00 || T.

PS is a string of binary 1's to fill up the remaining space in the RSA
message, and T is a constant DER-encoding of SHA-256 followed by the
actual signature. The constant portion is in both RFC 3447 and RFC 4880:

 The full hash prefixes for these are as follows:

[...]

       SHA256:     0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86,
                   0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05,
                   0x00, 0x04, 0x20

The part of "cmp" that would correspond to the constant part of the DER
encoding I do not recognise. My guess is that you did not instruct the
library you're using to generate the signature to create an
EMSA-PKCS1-v1_5 encoding, and that's why it is generating an RSA message
that differs in construction.

HTH,

Peter.

--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>


_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

signature.asc (499 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: GPG Signature Verification

Peter Lebbing
On 24/04/17 19:23, Peter Lebbing wrote:
> The part of "cmp" that would correspond to the constant part of the DER
> encoding I do not recognise.

It is still proper ASN.1, but it encodes a slightly different structure.

I wondered whether it was DER encoded or BER encoded, because I read
that BER was valid for old PKCS#1 v1.5 structures. DER is a subset of
BER. If the Python ASN.1 module pyasn1 rejects malformed DER encoding
then it is proper DER; or would pyasn1 be liberal in what it accepts?

Anyway, the two ASN.1 encoded objects are slightly different:

$ python
[...]
>>> import pyasn1.codec.der.decoder
>>> sha256der = b'\x30\x31\x30\x0d\x06\x09\x60\x86\x48\x01\x65\x03\x04\x02\x01\x05\x00\x04\x20' + chr(0)*32
>>> unknown_enc=b'\x30\x2f\x30\x0b\x06\x09\x60\x86\x48\x01\x65\x03\x04\x02\x01\x04\x20'+chr(0)*32
>>> pyasn1.codec.der.decoder.decode(sha256der)
(Sequence().setComponentByPosition(0, Sequence().setComponentByPosition(0, ObjectIdentifier(2.16.840.1.101.3.4.2.1)).setComponentByPosition(1, Null(''))).setComponentByPosition(1, OctetString(hexValue='0000000000000000000000000000000000000000000000000000000000000000')), '')
>>> pyasn1.codec.der.decoder.decode(unknown_enc)
(Sequence().setComponentByPosition(0, Sequence().setComponentByPosition(0, ObjectIdentifier(2.16.840.1.101.3.4.2.1))).setComponentByPosition(1, OctetString(hexValue='0000000000000000000000000000000000000000000000000000000000000000')), '')

There's an extra setComponentByPosition(1, Null('')) in the properly
encoded ASN.1. It would appear that the library you're using *is*
trying to generate a PKCS#1 v1.5 message, but that it ends up with a
slightly different DER encoding than what is defined for OpenPGP. You
will have to find a way to generate a EMSA-PKCS1-v1_5 structure that is
compatible to RFC 4880 (and RFC 3447 PKCS #1 Version 2.1).

I don't know much about ASN.1, so I can't really say anything useful
about the results of the experiment above.

HTH,

Peter.

--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>


_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

signature.asc (499 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: GPG Signature Verification

Paul Taukatch-2

This was exactly the issue! I was originally using the bouncy castle ASN1Encodable library to generate the encoded hash value which for some reason does not seem to produce the value defined/expected by the PGP. Instead I now just use ASN1 full hash prefixes defined in the RFC directly and the issue was resolved.

Very much appreciated Peter!

Thanks,
Paul Taukatch
Advanced Technologies Team / zOS Cloud Crypto


Inactive hide details for Peter Lebbing ---04/26/2017 06:24:21 AM---On 24/04/17 19:23, Peter Lebbing wrote: > The part of "cmp"Peter Lebbing ---04/26/2017 06:24:21 AM---On 24/04/17 19:23, Peter Lebbing wrote: > The part of "cmp" that would correspond to the constant pa

From: Peter Lebbing <[hidden email]>
To: Paul Taukatch/Poughkeepsie/IBM@IBMUS, [hidden email]
Date: 04/26/2017 06:24 AM
Subject: Re: GPG Signature Verification





On 24/04/17 19:23, Peter Lebbing wrote:
> The part of "cmp" that would correspond to the constant part of the DER
> encoding I do not recognise.

It is still proper ASN.1, but it encodes a slightly different structure.

I wondered whether it was DER encoded or BER encoded, because I read
that BER was valid for old PKCS#1 v1.5 structures. DER is a subset of
BER. If the Python ASN.1 module pyasn1 rejects malformed DER encoding
then it is proper DER; or would pyasn1 be liberal in what it accepts?

Anyway, the two ASN.1 encoded objects are slightly different:

$ python
[...]
>>> import pyasn1.codec.der.decoder
>>> sha256der = b'\x30\x31\x30\x0d\x06\x09\x60\x86\x48\x01\x65\x03\x04\x02\x01\x05\x00\x04\x20' + chr(0)*32
>>> unknown_enc=b'\x30\x2f\x30\x0b\x06\x09\x60\x86\x48\x01\x65\x03\x04\x02\x01\x04\x20'+chr(0)*32
>>> pyasn1.codec.der.decoder.decode(sha256der)
(Sequence().setComponentByPosition(0, Sequence().setComponentByPosition(0, ObjectIdentifier(2.16.840.1.101.3.4.2.1)).setComponentByPosition(1, Null(''))).setComponentByPosition(1, OctetString(hexValue='0000000000000000000000000000000000000000000000000000000000000000')), '')
>>> pyasn1.codec.der.decoder.decode(unknown_enc)
(Sequence().setComponentByPosition(0, Sequence().setComponentByPosition(0, ObjectIdentifier(2.16.840.1.101.3.4.2.1))).setComponentByPosition(1, OctetString(hexValue='0000000000000000000000000000000000000000000000000000000000000000')), '')

There's an extra setComponentByPosition(1, Null('')) in the properly
encoded ASN.1. It would appear that the library you're using *is*
trying to generate a PKCS#1 v1.5 message, but that it ends up with a
slightly different DER encoding than what is defined for OpenPGP. You
will have to find a way to generate a EMSA-PKCS1-v1_5 structure that is
compatible to RFC 4880 (and RFC 3447 PKCS #1 Version 2.1).

I don't know much about ASN.1, so I can't really say anything useful
about the results of the experiment above.

HTH,

Peter.

--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <
http://digitalbrains.com/2012/openpgp-key-peter>

[attachment "signature.asc" deleted by Paul Taukatch/Poughkeepsie/IBM]



_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Loading...