[botan-devel] X.509 signature algorithm decoding error

Uri Blumenthal uri at mit.edu
Mon Jan 12 20:52:46 EST 2015


Jack, you’re hard to convince, are you?

I’ve reported that your algorithm comparison mechanism is broken, most likely because it improperly accounts for "no parameters” case, and either adds ASN.1 NULL or doesn’t add it - at the wrong time. As a result, several certificates cannot be printed (and I daresay - parsed) by Botan because this parameter mismatch (no parameters at all for one, and added ASN.1 NULL for the other) causes false condition of "Decoding error: Algorithm identifier mismatch”.

I’m really tired of patching this afresh for every new Botan release.

Attached is the cert that causes this problem, along with its printout by OpenSSL, which does not make the same mistake as Botan:

openssl x509 -in ~/Documents/Certs/RabbitMQ-manager.pem -inform PEM -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 95267329 (0x5adaa01)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=Forest CA, O=Forest PKI and CA, OU=PKI, ST=MA, C=US, L=Westford
        Validity
            Not Before: Dec 24 02:01:42 2014 GMT
            Not After : Sep 19 02:01:42 2018 GMT
        Subject: CN=RabbitMQ-manager, O=The Burrow, OU=Messengers, C=US
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:e0:bb:4e:dd:ae:65:2d:04:0e:da:7f:e9:a7:9e:
                    47:99:e2:da:d9:06:d6:9f:ab:c3:cb:19:5b:b3:7e:
                    3a:4a:cf:22:68:80:dd:41:ec:cc:ee:2e:7c:6d:c9:
                    7b:06:8c:2e:29:7d:ee:e2:7f:03:98:df:70:47:5d:
                    b7:05:24:91:1c:61:77:e6:b9:16:2a:3c:fb:06:83:
                    b5:37:d6:0f:17:73:05:52:6d:bd:b6:62:57:41:98:
                    2e:29:74:39:5b:e3:77:00:a7:e6:b5:49:5e:ba:27:
                    e9:91:18:26:17:63:70:96:16:6d:06:a2:46:37:70:
                    1b:ef:7a:d7:7c:95:d2:f0:45:9d:b4:be:10:b9:1c:
                    e8:9e:b5:d4:2c:05:a8:48:e2:c3:aa:78:00:12:f1:
                    48:f8:de:05:33:15:d8:5f:89:40:78:e3:8c:98:47:
                    2f:52:9a:73:e2:84:59:eb:2a:a1:bd:f4:b5:96:1a:
                    f8:34:b7:d9:c6:6d:78:29:fb:ba:98:78:ad:65:92:
                    cc:a9:44:09:7c:62:0e:b3:17:2b:58:ee:ca:6d:57:
                    fe:33:7b:cc:71:1c:f1:a6:7b:dc:71:ea:2f:f6:85:
                    45:45:f0:19:77:9d:1a:35:b0:62:69:e0:3c:95:12:
                    53:e5:31:06:b6:9a:ec:f7:ac:8e:ef:1f:41:6e:ad:
                    2f:ff
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Key Usage: critical
                Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement
            X509v3 Extended Key Usage: critical
                TLS Web Client Authentication, 1.3.6.1.5.2.3.4
    Signature Algorithm: sha256WithRSAEncryption
         15:b3:b0:1e:7b:78:98:7a:f2:6c:68:10:9c:65:30:7b:ec:83:
         16:1a:f9:f3:6c:c3:f2:99:c1:fc:63:3d:0f:e8:ab:6c:31:67:
         be:2d:46:38:5b:6e:cc:83:bb:21:77:15:5e:b4:01:8d:29:8c:
         99:80:09:2d:59:54:81:b8:1d:9d:de:b9:30:c8:0f:94:c8:a5:
         dc:2c:31:28:51:ee:40:79:56:86:42:92:90:56:83:44:bd:c2:
         2d:79:56:7c:f4:4f:60:0d:2c:a7:a5:3a:b2:60:0a:7b:09:96:
         91:0b:92:4b:c3:e5:bd:b2:9c:e6:d7:d8:ac:61:ac:a4:67:53:
         c3:67:48:80:da:0b:47:d4:c5:4d:0d:64:5d:96:14:26:e6:df:
         da:cf:da:a3:ca:3a:d2:27:f4:49:23:fb:73:4b:1e:59:c9:b4:
         36:49:55:32:06:b9:28:04:12:71:7a:43:99:de:92:ca:b4:a9:
         55:89:8c:ec:61:e2:a8:e5:21:e2:11:fd:ce:4a:8d:70:e6:68:
         8d:93:8f:b3:29:24:d7:a7:c2:4e:89:22:c3:e1:e5:a4:ce:d5:
         85:8a:3d:87:a2:e2:2a:55:c0:17:48:91:71:cf:71:6f:75:af:
         3e:b2:9e:67:c0:32:49:67:6f:29:43:b1:de:51:37:bc:fe:05:
         64:88:0b:c3


On Jan 4, 2015, at 15:09 , Uri Blumenthal <uri at MIT.EDU<mailto:uri at MIT.EDU>> wrote:

Update. I’ve added more debugging output to x509cert.cpp:

   if(sig_algo != sig_algo_inner) {
     std::cerr << "\nX509_Certificate::force_decode(): "
      << "Algorithm identifier mismatch: \n"
      << "sig_algo: \t\t\"" << sig_algo.oid.as_string() << "\""
      << " vs.\n"
      << "sig_algo_inner: \t\""
      << sig_algo_inner.oid.as_string() << "\"\n";
     std::cerr << "parameters vector sizes: "
      << sig_algo.parameters.size() << " "
      << sig_algo_inner.parameters.size() << "\n";
     std::cerr << "sig_algo params:\t\t";
     for (int i = 0; i < sig_algo.parameters.size(); i++)
       std::cerr << std::setw(3)
<< (int)(sig_algo.parameters[i]) << " ";
     std::cerr << "\nsig_algo_inner params:\t";
     for (int i = 0; i < sig_algo_inner.parameters.size(); i++)
       std::cerr << std::setw(3)
<< (int)(sig_algo_inner.parameters[i]) << " ";
     std::cerr << "\n\n";
     //throw Decoding_Error("Algorithm identifier mismatch");
   }

The output shows that the two algorithms differ in parameters (rather than in OID). One has two parameters, the other one has none:

$ ./botan x509print cert.pem

X509_Certificate::force_decode(): Algorithm identifier mismatch:
sig_algo: "1.2.840.113549.1.1.11" vs.
sig_algo_inner: "1.2.840.113549.1.1.11"
parameters vector sizes: 2 0
sig_algo params:   5   0
sig_algo_inner params:

Subject Name: RabbitMQ-manager
Subject Organization: The Burrow
Subject Organizational Unit: Messengers
Subject Country: US
Issuer Name: Forest CA
Issuer Organization: Forest PKI and CA
Issuer Organizational Unit: PKI
Issuer Locality: Westford
Issuer State: MA
Issuer Country: US
Version: 3
Not valid before: 2014/12/24 02:01:42 UTC
Not valid after: 2018/09/19 02:01:42 UTC
Constraints:
   Digital Signature
   Non-Repuidation
   Key Encipherment
   Data Encipherment
   Key Agreement
Extended Constraints:
   PKIX.ClientAuth

Signature algorithm: RSA/EMSA3(SHA-256)
Serial number: 05ADAA01
Public Key:
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4LtO3a5lLQQO2n/pp55H
meLa2QbWn6vDyxlbs346Ss8iaIDdQezM7i58bcl7BowuKX3u4n8DmN9wR123BSSR
HGF35rkWKjz7BoO1N9YPF3MFUm29tmJXQZguKXQ5W+N3AKfmtUleuifpkRgmF2Nw
lhZtBqJGN3Ab73rXfJXS8EWdtL4QuRzonrXULAWoSOLDqngAEvFI+N4FMxXYX4lA
eOOMmEcvUppz4oRZ6yqhvfS1lhr4NLfZxm14Kfu6mHitZZLMqUQJfGIOsxcrWO7K
bVf+M3vMcRzxpnvcceov9oVFRfAZd50aNbBiaeA8lRJT5TEGtprs96yO7x9Bbq0v
/wIDAQAB
-----END PUBLIC KEY-----


On Jan 4, 2015, at 14:43 , Uri Blumenthal <uri at MIT.EDU<mailto:uri at MIT.EDU>> wrote:
On Jan 4, 2015, at 11:33 , Jack Lloyd <lloyd at randombit.net<mailto:lloyd at randombit.net>> wrote:
On Sun, Jan 04, 2015 at 02:01:50AM +0000, Uri Blumenthal wrote:
2. src/lib/cert/x509/x509cert.cpp incorrectly rejects certificates
where different signing algorithms are used. These are the offending
lines (99 and 100):

   if(sig_algo != sig_algo_inner)
      throw Decoding_Error("Algorithm identifier mismatch");

Hi Uri,

Can you send me example certificate(s) which cause this to trigger?

Certainly. Will attach one example to this email, and can produce/find more if needed.

That check has been in place since 2006 and while it's been a while
since I read the PKIX docs my understanding is these two fields should
always be the same.

I’ve modified the check in x509_cert.cpp to look like this:

   if(sig_algo != sig_algo_inner) {
     std::cerr << "\nX509_Certificate::force_decode(): "
      << "Algorithm identifier mismatch: \n"
      << "sig_algo: \t\t\"" << sig_algo.oid.as_string() << "\""
      << " vs.\n"
      << "sig_algo_inner: \t\""
      << sig_algo_inner.oid.as_string() << "\"" << "\n\n";
     //throw Decoding_Error("Algorithm identifier mismatch");
   }

and here’s its output on the cert in question:

$ ./botan x509print cert.pem

X509_Certificate::force_decode(): Algorithm identifier mismatch:
sig_algo: "1.2.840.113549.1.1.11" vs.
sig_algo_inner: "1.2.840.113549.1.1.11"

Subject Name: RabbitMQ-manager
Subject Organization: The Burrow
Subject Organizational Unit: Messengers
Subject Country: US
Issuer Name: Forest CA
Issuer Organization: Forest PKI and CA
Issuer Organizational Unit: PKI
Issuer Locality: Westford
Issuer State: MA
Issuer Country: US
Version: 3
Not valid before: 2014/12/24 02:01:42 UTC
Not valid after: 2018/09/19 02:01:42 UTC
Constraints:
   Digital Signature
   Non-Repuidation
   Key Encipherment
   Data Encipherment
   Key Agreement
Extended Constraints:
   PKIX.ClientAuth

Signature algorithm: RSA/EMSA3(SHA-256)
Serial number: 05ADAA01
Public Key:
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4LtO3a5lLQQO2n/pp55H
meLa2QbWn6vDyxlbs346Ss8iaIDdQezM7i58bcl7BowuKX3u4n8DmN9wR123BSSR
HGF35rkWKjz7BoO1N9YPF3MFUm29tmJXQZguKXQ5W+N3AKfmtUleuifpkRgmF2Nw
lhZtBqJGN3Ab73rXfJXS8EWdtL4QuRzonrXULAWoSOLDqngAEvFI+N4FMxXYX4lA
eOOMmEcvUppz4oRZ6yqhvfS1lhr4NLfZxm14Kfu6mHitZZLMqUQJfGIOsxcrWO7K
bVf+M3vMcRzxpnvcceov9oVFRfAZd50aNbBiaeA8lRJT5TEGtprs96yO7x9Bbq0v
/wIDAQAB
-----END PUBLIC KEY-----



And here’s the certificate itself.

Just in case I’ve also cat ’n’ pasted it below.
--
Uri Blumenthal
uri at mit.edu<mailto:uri at mit.edu>

Bag Attributes
    friendlyName: RabbitMQ-manager
    localKeyID: C7 2B A2 5B 26 9C C7 6B 9B 13 B1 45 B8 EA D9 72 D0 2B 13 99
subject=/CN=RabbitMQ-manager/O=The Burrow/OU=Messengers/C=US
issuer=/CN=Forest CA/O=Forest PKI and CA/OU=PKI/ST=MA/C=US/L=Westford
-----BEGIN CERTIFICATE-----
MIIDfTCCAmWgAwIBAgIEBa2qATALBgkqhkiG9w0BAQswazESMBAGA1UEAwwJRm9y
ZXN0IENBMRowGAYDVQQKDBFGb3Jlc3QgUEtJIGFuZCBDQTEMMAoGA1UECwwDUEtJ
MQswCQYDVQQIDAJNQTELMAkGA1UEBhMCVVMxETAPBgNVBAcMCFdlc3Rmb3JkMB4X
DTE0MTIyNDAyMDE0MloXDTE4MDkxOTAyMDE0MlowUjEZMBcGA1UEAwwQUmFiYml0
TVEtbWFuYWdlcjETMBEGA1UECgwKVGhlIEJ1cnJvdzETMBEGA1UECwwKTWVzc2Vu
Z2VyczELMAkGA1UEBhMCVVMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQDgu07drmUtBA7af+mnnkeZ4trZBtafq8PLGVuzfjpKzyJogN1B7MzuLnxtyXsG
jC4pfe7ifwOY33BHXbcFJJEcYXfmuRYqPPsGg7U31g8XcwVSbb22YldBmC4pdDlb
43cAp+a1SV66J+mRGCYXY3CWFm0GokY3cBvvetd8ldLwRZ20vhC5HOietdQsBahI
4sOqeAAS8Uj43gUzFdhfiUB444yYRy9SmnPihFnrKqG99LWWGvg0t9nGbXgp+7qY
eK1lksypRAl8Yg6zFytY7sptV/4ze8xxHPGme9xx6i/2hUVF8Bl3nRo1sGJp4DyV
ElPlMQa2muz3rI7vH0FurS//AgMBAAGjRDBCMA8GA1UdEwEB/wQFMAMBAQAwDgYD
VR0PAQH/BAQDAgP4MB8GA1UdJQEB/wQVMBMGCCsGAQUFBwMCBgcrBgEFAgMEMA0G
CSqGSIb3DQEBCwUAA4IBAQAVs7Aee3iYevJsaBCcZTB77IMWGvnzbMPymcH8Yz0P
6KtsMWe+LUY4W27Mg7shdxVetAGNKYyZgAktWVSBuB2d3rkwyA+UyKXcLDEoUe5A
eVaGQpKQVoNEvcIteVZ89E9gDSynpTqyYAp7CZaRC5JLw+W9spzm19isYaykZ1PD
Z0iA2gtH1MVNDWRdlhQm5t/az9qjyjrSJ/RJI/tzSx5ZybQ2SVUyBrkoBBJxekOZ
3pLKtKlViYzsYeKo5SHiEf3OSo1w5miNk4+zKSTXp8JOiSLD4eWkztWFij2HouIq
VcAXSJFxz3Fvda8+sp5nwDJJZ28pQ7HeUTe8/gVkiAvD
-----END CERTIFICATE-----


<RabbitMQ-manager.pem>_______________________________________________
botan-devel mailing list
botan-devel at randombit.net<mailto:botan-devel at randombit.net>
http://lists.randombit.net/mailman/listinfo/botan-devel

--
Uri Blumenthal
uri at mit.edu<mailto:uri at mit.edu>

_______________________________________________
botan-devel mailing list
botan-devel at randombit.net<mailto:botan-devel at randombit.net>
http://lists.randombit.net/mailman/listinfo/botan-devel

--
Uri Blumenthal
uri at mit.edu<mailto:uri at mit.edu>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.randombit.net/pipermail/botan-devel/attachments/20150113/dd5b9bfd/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: RabbitMQ-manager.pem
Type: application/x-x509-ca-cert
Size: 2827 bytes
Desc: RabbitMQ-manager.pem
URL: <http://lists.randombit.net/pipermail/botan-devel/attachments/20150113/dd5b9bfd/attachment-0001.crt>


More information about the botan-devel mailing list