Bug 1284292 - SPKAC signature verification failing with openssl on fedora 23
Summary: SPKAC signature verification failing with openssl on fedora 23
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Fedora
Classification: Fedora
Component: openssl
Version: 23
Hardware: x86_64
OS: Linux
unspecified
high
Target Milestone: ---
Assignee: Tomas Mraz
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-11-22 23:25 UTC by Beau V.C. Bellamy
Modified: 2016-02-09 08:17 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-11-23 09:48:06 UTC


Attachments (Terms of Use)
SPKAC file with key and signature generated from web browser ready to sign. (515 bytes, text/plain)
2015-11-22 23:25 UTC, Beau V.C. Bellamy
no flags Details

Description Beau V.C. Bellamy 2015-11-22 23:25:36 UTC
Created attachment 1097553 [details]
SPKAC file with key and signature generated from web browser ready to sign.

Description of problem:
Browser generated SPKAC public key and signature fail validation with OpenSSL 1.0.2d on Fedora 23.  The same file will pass on Gentoo with the identical version of OpenSSL.

Version-Release number of selected component (if applicable):
OpenSSL 1.0.2d-fips 9 Jul 2015

How reproducible: Always

Steps to reproduce:
(Setup CA)
#openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048
#openssl req -x509 -new -nodes -key /etc/pki/CA/private/cakey.pem -days 1024 -out /etc/pki/CA/cacert.pem
#touch /etc/pki/CA/index.txt
#touch /etc/pki/CA/index.txt.attr
#echo 10 > /etc/pki/CA/serial
#/sbin/restorecon -R /etc/pki
(Download SPKAC file from bugzilla)
(Sign SPKAC file)
#openssl ca -spkac certreqOoogSZ.spkac

Actual results:
Using configuration from /etc/pki/tls/openssl.cnf
Check that the SPKAC request matches the signature
signature verification failed on SPKAC public key
140017172965240:error:0D06407A:asn1 encoding routines:a2d_ASN1_OBJECT:first num too large:a_object.c:108:
140017172965240:error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown message digest algorithm:a_verify.c:183:


Expected results:
Using configuration from /etc/pki/tls/openssl.cnf
Check that the SPKAC request matches the signature
Signature ok

Comment 1 Tomas Mraz 2015-11-23 09:48:06 UTC
The SPKAC probably uses MD5 in its signature. That is insecure and openssl in Fedora does not verify signatures which use MD5 by default. You can set OPENSSL_ENABLE_MD5_VERIFY environment variable as a workaround to enable it.

Comment 2 Tim Wegener 2016-02-09 05:22:34 UTC
(In reply to Tomas Mraz from comment #1)
> The SPKAC probably uses MD5 in its signature. That is insecure and openssl
> in Fedora does not verify signatures which use MD5 by default. You can set
> OPENSSL_ENABLE_MD5_VERIFY environment variable as a workaround to enable it.


But given that spkac seems to be hardwired to use md5 (at least via 'openssl spkac') it seems strange that Fedora openssl will create an spkac that it can't verify. There doesn't appear to be an option to change the digest algorithm used to generate the SPKAC.

Example:

# Generate an SPKAC:
openssl spkac -out generated_spkac -challenge aaa -key ~/.ssh/id_rsa
# Verify the generated SPKAC:
openssl spkac -verify -in generated_spkac
Netscape SPKI:
  Public Key Algorithm: rsaEncryption
    Public-Key: (2048 bit)
    Modulus:
...
  Challenge String: aaa
  Signature Algorithm: md5WithRSAEncryption
...
Signature Failure
139678195730296:error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown message digest algorithm:a_verify.c:191:



Perhaps verifying spkac should be special cased to allow md5?

Cf. this discussion: https://lists.w3.org/Archives/Public/public-webid/2015Sep/0011.html


The suggested workaround doesn't seem great, i.e. it feels bad to allow md5 across the board (which is a significant security issue in other contexts), rather than just spkac (where it is less so, at least according to that linked discussion).

Thoughts?

Comment 3 Tomas Mraz 2016-02-09 08:17:03 UTC
I'd rather change the algorithm to be used to sha1WithRSAEncryption than this.


Note You need to log in before you can comment on or make changes to this bug.