-
Notifications
You must be signed in to change notification settings - Fork 3
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
RSA signature does not appear to be correct #28
Comments
I also tested this using an online tool with the same result: https://8gwifi.org/RSAFunctionality?rsasignverifyfunctions=rsasignverifyfunctions |
I would really appreciate a pointer in the right direction here, even just a link to a public implementation which passes this test suite would help immensely. I find it hard to believe that these have the wrong signature and nobody has noticed, and I would fully expect to be wrong, but none of the implementations linked here: w3c-ccg/http-signatures#1 seem to incorporate this test suite, and there is no reference implementation linked anywhere? @aljones15 you tested my PR recently with a nodejs implementation - are you able to validate these RSA signatures? |
Those were generated by node's crypto function and not ssh. however other
implementors have managed to use them.
This is the reference implementation for node:
https://github.com/digitalbazaar/http-signature-header/tree/master/bin
My apologies about the mistakes. feel free to contribute newer RSA
signatures produced using ssh if you want.
…On Sat, Apr 18, 2020 at 7:54 PM Diggory Blake ***@***.***> wrote:
I would really appreciate a pointer in the right direction here, even just
a link to a public implementation which passes this test suite would help
immensely.
I find it hard to believe that these have the wrong signature and nobody
has noticed, and I would fully expect to be wrong, but none of the
implementations linked here: w3c-ccg/http-signatures#1
<w3c-ccg/http-signatures#1> seem to incorporate
this test suite, and there is no reference implementation linked anywhere?
@aljones15 <https://github.com/aljones15> you tested my PR recently with
a nodejs implementation - are you able to validate these RSA signatures?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#28 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AACD6CEJRETM6QVGJ27WSE3RNI4TNANCNFSM4MKGOLSA>
.
--
Andrew Jones
|
One possibility is that they are not verifying because they are not wrapped
in the typical ssh wrapper perhaps.
…On Sat, Apr 18, 2020 at 10:41 PM Andrew Jones ***@***.***> wrote:
Those were generated by node's crypto function and not ssh. however other
implementors have managed to use them.
This is the reference implementation for node:
https://github.com/digitalbazaar/http-signature-header/tree/master/bin
My apologies about the mistakes. feel free to contribute newer RSA
signatures produced using ssh if you want.
On Sat, Apr 18, 2020 at 7:54 PM Diggory Blake ***@***.***>
wrote:
> I would really appreciate a pointer in the right direction here, even
> just a link to a public implementation which passes this test suite would
> help immensely.
>
> I find it hard to believe that these have the wrong signature and nobody
> has noticed, and I would fully expect to be wrong, but none of the
> implementations linked here: w3c-ccg/http-signatures#1
> <w3c-ccg/http-signatures#1> seem to
> incorporate this test suite, and there is no reference implementation
> linked anywhere?
>
> @aljones15 <https://github.com/aljones15> you tested my PR recently with
> a nodejs implementation - are you able to validate these RSA signatures?
>
> —
> You are receiving this because you were mentioned.
> Reply to this email directly, view it on GitHub
> <#28 (comment)>,
> or unsubscribe
> <https://github.com/notifications/unsubscribe-auth/AACD6CEJRETM6QVGJ27WSE3RNI4TNANCNFSM4MKGOLSA>
> .
>
--
Andrew Jones
--
Andrew Jones
|
@aljones15 I'm sorry to say but your nodejs implementation is broken: it always returns success even if the signature doesn't match! See here: const verified = crypto.verify(
null, canonicalizedString, publicKeyFile, signature);
if(verified) {
return canonicalizedString.toString('utf8');
}
return 'Signature verification failed.'; The test suite harness expects the generator to return a non-zero exit code if validation fails, and in your program this only happens when the library throws an exception. However, when the signature doesn't match it just returns the string "Signature verification failed." which the test harness ignores. Clearly there is a need for a test which ensures a program rejects bad signatures. |
There are two additional bugs I spotted:
canonicalizedString = Buffer.from(
httpSignatureAlgorithm.hash.digest('utf8'), 'utf8'); This should just be: canonicalizedString = httpSignatureAlgorithm.hash.digest(); |
thanks for finding the bug in our binary there was some discussion at some
point about returning an error message.
I will correct that when I find time. It's interesting that the RSA files
from node crypto are invalid. I will also log
those bugs with the project and hopefully we can get around to them. The
utf-8 one might be intentional I'm not sure.
Also my apologies as always about the low quality of the test suite and
thank you for the help so far.
…On Sun, Apr 19, 2020 at 11:06 AM Diggory Blake ***@***.***> wrote:
There are two additional bugs I spotted:
1.
The implementation always assumes SHA512 - the "key type" argument
from the test suite should really include what digest algorithm to use.
2.
The implementation round-trips binary data through utf8 encoding which
will cause problems for data which is not valid utf8:
canonicalizedString = Buffer.from(
httpSignatureAlgorithm.hash.digest('utf8'), 'utf8');
This should just be:
canonicalizedString = httpSignatureAlgorithm.hash.digest();
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#28 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AACD6CG5NXNNIU4MADJIOZ3RNMHPJANCNFSM4MKGOLSA>
.
--
Andrew Jones
|
In this case the data being encoded is the output of the hash function (ie. it is random binary data, not text) so definitely shouldn't be round-tripped through UTF-8.
I would be happy to contribute more to this code-base, but I don't want open a load of PRs that sit around for a long time, or never get merged. I will look at adding tests and update the RSA keys with valid ones once #26 is merged. Is there anything else I can do to help drive progress on the RFC in general? Everything seems to be in a bit of a weird state - I know that lots of companies are using this signature scheme in production, and there is recent activity on the github repo for the RFC itself, but then the main link in the repo description is broken (https://w3c-dvcg.github.io/http-signatures/) and there's not even a README. The draft is 7 years old now, and while there have been continual improvements, it doesn't seems like it's getting any closer to the goal of leaving "draft" status. How is work on this being organised? Are there any timelines? |
I'm not the right person to talk about the SPEC, but I will try to find
someone to merge in that PR you made. It looks I no longer have write
access to the test repo itself which is why it is not being merged.
At the moment 2 of the authors of the current revision of the RFC spec are
just beyond slammed with COVID related projects sadly hence there is zero
progress being made on it. I did make a branch of our
implementation today that throws when verified is false so I should at
least no longer be getting false positives for those tests. I do not know
the time frame for when work will resume on the spec, but I really
appreciate your work on this it has been exactly
what is needed. Detailed and through.
…On Sun, Apr 19, 2020 at 4:10 PM Diggory Blake ***@***.***> wrote:
The utf-8 one might be intentional I'm not sure
In this case the data being encoded is the output of the hash function
(ie. it is random binary data, not text) so definitely shouldn't be
round-tripped through UTF-8.
thank you for the help so far.
I would be happy to contribute more to this code-base, but I don't want
open a load of PRs that sit around for a long time, or never get merged. I
will look at adding tests and update the RSA keys with valid ones once #26
<#26> is merged.
Is there anything else I can do to help drive progress on the RFC in
general? Everything seems to be in a bit of a weird state - I know that
lots of companies are using this signature scheme in production, and there
is recent activity on the github repo for the RFC itself, but then the main
link in the repo description is broken (
https://w3c-dvcg.github.io/http-signatures/) and there's not even a
README. The draft is 7 years old now, and while there have been continual
improvements, it doesn't seems like it's getting any closer to the goal of
leaving "draft" status. How is work on this being organised? Are there any
timelines?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#28 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AACD6CA65H3BM3PXI7PEUM3RNNLDRANCNFSM4MKGOLSA>
.
--
Andrew Jones
|
The spec has been picked up by the HTTP working group at IETF: w3c-ccg/http-signatures#96 (comment) Further work on the spec will continue there. |
@Diggsey So i created this branch: What is strange is that with the utf8 round trip it does verify, without the utf8 roundtrip it does not verify and throws as you seem to have seen. Not entirely sure what is going on there perhaps the issue is I might have roundtriped the signing process that produced the signature being verified? When I can make time again (probably this weekend) I will try verifying a random signature and see if something is causing verify to return true in all cases. |
Possibly. For me, when I test your code it fails to validate (and then passes the test anyway) with or without the utf-8 round-trip. It's possible there's some platform-specific behaviour regarding the utf-8 conversion (I am testing on windows), although that really shouldn't be the case as utf-8 should be the same everywhere... |
I believe that I signed with a buffer made from a utf-8 so it is verifying
on the utf-8 buffer. anyways you are correct we should not require
that the verification be done in utf-8 so I will try to correct it.
…On Mon, Apr 20, 2020 at 8:29 AM Diggory Blake ***@***.***> wrote:
perhaps the issue is I might have roundtriped the signing process that
produced the signature being verified?
Possibly. For me, when I test your code it fails to validate (and then
passes the test anyway) with or without the utf-8 round-trip. It's possible
there's some platform-specific behaviour regarding the utf-8 conversion (I
am testing on windows), although that really shouldn't be the case as utf-8
should be the same everywhere...
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#28 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AACD6CEUKOT46W3LDDBJPLDRNQ52ZANCNFSM4MKGOLSA>
.
--
Andrew Jones
|
It's difficult to validate because this repo doesn't contain the expected signature string. However, when I manually apply the algorithm it also seems to fail. Furthermore, I have tested my implementation against the RSA-signed test case in the spec itself, where validation works as expected.
I've been using the test case
To test this.
My implementation is called with this command:
Stdin is:
From this, I compute the signature string:
Which I then try to validate using the supplied signature:
And the public key:
In my implementation, this validation fails as it thinks the signature is invalid, so I test this on the command line to make sure, using the following command:
sig.bin: binary signature having been base64-decoded
message.txt: contents of signature string (LF separated, no trailing newline)
My implementation is able to sign and verify its own signatures, and signatures generated from the command line, and the signature in the http-signatures spec, so either something very strange is going on, or the RSA signature in this repo is not valid.
The text was updated successfully, but these errors were encountered: