Created attachment 1097553 [details] SPKAC file with key and signature generated from web browser ready to sign. Description of problem: Browser generated SPKAC public key and signature fail validation with OpenSSL 1.0.2d on Fedora 23. The same file will pass on Gentoo with the identical version of OpenSSL. Version-Release number of selected component (if applicable): OpenSSL 1.0.2d-fips 9 Jul 2015 How reproducible: Always Steps to reproduce: (Setup CA) #openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048 #openssl req -x509 -new -nodes -key /etc/pki/CA/private/cakey.pem -days 1024 -out /etc/pki/CA/cacert.pem #touch /etc/pki/CA/index.txt #touch /etc/pki/CA/index.txt.attr #echo 10 > /etc/pki/CA/serial #/sbin/restorecon -R /etc/pki (Download SPKAC file from bugzilla) (Sign SPKAC file) #openssl ca -spkac certreqOoogSZ.spkac Actual results: Using configuration from /etc/pki/tls/openssl.cnf Check that the SPKAC request matches the signature signature verification failed on SPKAC public key 140017172965240:error:0D06407A:asn1 encoding routines:a2d_ASN1_OBJECT:first num too large:a_object.c:108: 140017172965240:error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown message digest algorithm:a_verify.c:183: Expected results: Using configuration from /etc/pki/tls/openssl.cnf Check that the SPKAC request matches the signature Signature ok
The SPKAC probably uses MD5 in its signature. That is insecure and openssl in Fedora does not verify signatures which use MD5 by default. You can set OPENSSL_ENABLE_MD5_VERIFY environment variable as a workaround to enable it.
(In reply to Tomas Mraz from comment #1) > The SPKAC probably uses MD5 in its signature. That is insecure and openssl > in Fedora does not verify signatures which use MD5 by default. You can set > OPENSSL_ENABLE_MD5_VERIFY environment variable as a workaround to enable it. But given that spkac seems to be hardwired to use md5 (at least via 'openssl spkac') it seems strange that Fedora openssl will create an spkac that it can't verify. There doesn't appear to be an option to change the digest algorithm used to generate the SPKAC. Example: # Generate an SPKAC: openssl spkac -out generated_spkac -challenge aaa -key ~/.ssh/id_rsa # Verify the generated SPKAC: openssl spkac -verify -in generated_spkac Netscape SPKI: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: ... Challenge String: aaa Signature Algorithm: md5WithRSAEncryption ... Signature Failure 139678195730296:error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown message digest algorithm:a_verify.c:191: Perhaps verifying spkac should be special cased to allow md5? Cf. this discussion: https://lists.w3.org/Archives/Public/public-webid/2015Sep/0011.html The suggested workaround doesn't seem great, i.e. it feels bad to allow md5 across the board (which is a significant security issue in other contexts), rather than just spkac (where it is less so, at least according to that linked discussion). Thoughts?
I'd rather change the algorithm to be used to sha1WithRSAEncryption than this.