TLS 1.3 CertificateVerify signature verification failure #194
Description
Hi everyone!
I'm running TLS-Attacker 6.3.2 and testing out the TLS 1.3 server. I tried to establish two sessions, one using ECDSA_SHA256 and the other RSA_PSS_RSAE_SHA256 as the signature algorithm used in the CertificateVerify message (I did not try other signature algorithm schemes, these two seem the be supported judging by the documentation).
ECDSA: java -jar TLS-Server.jar -port 12345 -key test_data/ec/ec_key.pem -cert test_data/ec/ec_cert.pem -version TLS13 -config test_data/configuration_tls13.xml -keylogfile test_data/ec/key.log -debug -signature_hash_algo ECDSA_SHA256
RSA: java -jar TLS-Server.jar -port 12345 -key test_data/rsa/rsa_key.pem -cert test_data/rsa/rsa_cert.pem -version TLS13 -config test_data/configuration_tls13.xml -keylogfile test_data/rsa/key.log -debug -signature_hash_algo RSA_PSS_RSAE_SHA256
For the client side I use openssl:
ECDSA: openssl s_client -connect 127.0.0.1:12345 -ciphersuites 'TLS_AES_128_GCM_SHA256' -tls1_3 -debug -msg -security_debug -security_debug_verbose -trace -keylogfile keylog.file -sigalgs ecdsa_secp256r1_sha256
RSA: openssl s_client -connect 127.0.0.1:12345 -ciphersuites 'TLS_AES_128_GCM_SHA256' -tls1_3 -debug -msg -security_debug -security_debug_verbose -trace -keylogfile keylog.file -sigalgs rsa_pss_rsae_sha256
In both cases the openssl client is not able to verify the signature in the CertificateVerify:
ECDSA:
Inner Content Type = Handshake (22)
CertificateVerify, Length=74
Signature Algorithm: ecdsa_secp256r1_sha256 (0x0403)
Signature (len=70): 304402205FC0EF3C8613F7B893232A3D4C1036AB657047B9416FCF64C369D7881C4F1FB40220504ED7C5274D133691CEF26851EFBCAEDA10BA7C16C3395B3FA16CEC47F3F909
Security callback: Check Signature Algorithm scheme=ecdsa_secp256r1_sha256, security bits=128: yes
Sent Record
Header:
Version = TLS 1.2 (0x303)
Content Type = Alert (21)
Length = 2
write to 0x61a92eb82140 [0x61a92eb9ec40] (7 bytes => 7 (0x7))
0000 - 15 03 03 00 02 02 33 ......3
Level=fatal(2), description=decrypt error(51)
4067992DD07E0000:error:0A00007B:SSL routines:tls_process_cert_verify:bad signature:../ssl/statem/statem_lib.c:538:
RSA:
Inner Content Type = Handshake (22)
CertificateVerify, Length=260
Signature Algorithm: rsa_pss_rsae_sha256 (0x0804)
Signature (len=256): 9894467F0EB64D48926E3C2E66ABCFE2742006E12E74B8ED68532B3B08A84A416D49E1EADC3AC77B706DF59780FDDFD21461548C595377361D0220B4AA7BB45B261B0FA8F17BB46464309FCA4F30B48249B3C7C4B098775AA82FDDA8E765EDECD1EA69984C8DBDC67CADD6884B2855306E19C9B5870529A15F4E6A2BE8C7537AFEF9127EDCB800D0FAEE07B94B994ECC3B64C5D9EE6234891003581DD58FF9920BF3C1C30AC14FC60F29EE607145FD2811AF836E104A8C7FC4867E1AC3D8261ACA8E26B60D174C005E16B4AC02F6AF6BC3C517F4F568C73C17B0B73D878B22A7D8177D15D63CFA3879CCFAAB323281253A5BDE1782BB30616EF6F8F5A6AD9DD0
Security callback: Check Signature Algorithm scheme=rsa_pss_rsae_sha256, security bits=128: yes
Sent Record
Header:
Version = TLS 1.2 (0x303)
Content Type = Alert (21)
Length = 2
write to 0x5e474563e140 [0x5e4745659c30] (7 bytes => 7 (0x7))
0000 - 15 03 03 00 02 02 33 ......3
Level=fatal(2), description=decrypt error(51)
40D7150CF5730000:error:02000086:rsa routines:RSA_verify_PKCS1_PSS_mgf1:last octet invalid:../crypto/rsa/rsa_pss.c:94:
40D7150CF5730000:error:1C880004:Provider routines:rsa_verify:RSA lib:../providers/implementations/signature/rsa_sig.c:815:
40D7150CF5730000:error:0A00007B:SSL routines:tls_process_cert_verify:bad signature:../ssl/statem/statem_lib.c:538:
Aditionally, in the ECDSA certificate case, when the public key is parsed from the certificate it is correctly identified
10:25:49 [main] DEBUG: SubjectPublicKeyAlgorithmIdentifierParser - X509PublicKeyType: ECDH_ECDSA (ECDH_ECDSA)
10:25:49 [main] DEBUG: SubjectPublicKeyAlgorithmIdentifierParser - Expecting X509EcNamedCurveParameters
10:25:49 [main] DEBUG: X509Asn1ObjectIdentifierParser - Parsing Asn1ObjectIdentifier (namedCurve)
10:25:49 [main] DEBUG: ParserHelper - Parsed short tag octets: 06
10:25:49 [main] DEBUG: ParserHelper - Parsed (short) length octets: 08
10:25:49 [main] DEBUG: ParserHelper - Parsed content octets: 2A 86 48 CE 3D 03 01 07
10:25:49 [main] DEBUG: X509Asn1ObjectIdentifierParser - Parsed Asn1ObjectIdentifier (namedCurve): 1.2.840.10045.3.1.7
10:25:49 [main] DEBUG: X509EcNamedCurveParametersHandler - Parameters with named curve: SECP256R1
But later on during the CeritificateVerify preparation, the SignatureAndHashAlgorithmSelector get the public key type RSA from the context, this renders the fallback setting as necessary:
10:25:49 [main] DEBUG: SignatureAndHashAlgorithmSelector - Selecting SignatureAndHashAlgorithm for public key type RSA
10:25:49 [main] DEBUG: SignatureAndHashAlgorithmSelector - Algorithm pairs supported by both peers, suitable for public key type, and protocol version: []
10:25:49 [main] DEBUG: SignatureAndHashAlgorithmSelector - No common algorithm found, selected fall-back algorithm ECDSA_SHA256
I additionally tried using a certificate with RSA 4096 (previously 2048). According to RFC8017 I would expect that the signature length would vary with the modulus size, so when using a 4096 bit key a 512 bytes long signature would be produced. This does not seem to be the case:
10:34:09 [main] DEBUG: SignatureAndHashAlgorithmSelector - Selecting SignatureAndHashAlgorithm for public key type RSA
10:34:09 [main] DEBUG: SignatureAndHashAlgorithmSelector - Algorithm pairs supported by both peers, suitable for public key type, and protocol version: [RSA_PSS_RSAE_SHA256]
10:34:09 [main] DEBUG: AlgorithmResolver - Using the following Digest Algorithm: SHA256
10:34:09 [main] DEBUG: SignatureCalculator - Digest: B2 BB C7 F8 37 2A AF 7A 1F A3 7B B6 15 01 3F 11 3A 15 54 D9 7C FB 00 A7 19 03 B7 1D CB 5E F6 24
10:34:09 [main] DEBUG: SignatureCalculator - Padded salted digest: 00 00 00 00 00 00 00 00 B2 BB C7 F8 37 2A AF 7A 1F A3 7B B6 15 01 3F 11 3A 15 54 D9 7C FB 00 A7 19 03 B7 1D CB 5E F6 24 AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA
10:34:09 [main] DEBUG: SignatureCalculator - H: B2 4F C3 68 8A 79 2A B0 E4 EE 22 1B B8 96 45 13 06 B2 7E 0B 04 33 46 93 6F 5E 3F D3 2D F3 07 2A
10:34:09 [main] DEBUG: SignatureCalculator - Ps value: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
10:34:09 [main] DEBUG: SignatureCalculator - DB: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA
10:34:09 [main] DEBUG: SignatureCalculator - DB mask: AC 77 F0 22 F0 89 19 4F 92 BB BB CB 29 8E EF 49 1C 38 90 CF 84 85 24 C1 68 49 2A D9 A6 34 0A 28 3C 1F 3F 6C 86 34 79 A6 DD 63 08 09 44 37 2F 0C A4 F1 51 E9 53 C0 FA 52 FD CF 04 85 DF 04 A3 30 5E 35 6B 36 4E 47 E2 57 D4 09 F4 44 78 14 E8 08 DA C8 4F 8A BB 7B 1A 5E E5 DF 9A 1F 46 74 54 91 51 13 3A 49 7F 7B 9B 1E C1 DE 17 8E C2 81 34 E2 B9 A0 D7 C8 0F 8B 1D 52 FB 92 43 34 43 95 90 7D 44 C5 74 9B EB D9 F8 D4 47 34 96 AE 59 CE 62 F1 74 1B DF C0 AD 11 20 7D EF 89 2C 05 0E B3 D2 68 A9 1C 41 DE EE BA 39 65 14 85 87 28 86 6B 9D 9F CC A6 2D DD AD 24 D4 18 3F C6 04 A7 37 46 08 BD 6B E2 C9 EC BB FC 2D 9A 7C 66 A6 57 C5 6C C1 CF 0D 82 D4 E0 B1 54 58 0A 01 4B 9A 76 87 9C DA
10:34:09 [main] DEBUG: SignatureCalculator - Masked DB: AC 77 F0 22 F0 89 19 4F 92 BB BB CB 29 8E EF 49 1C 38 90 CF 84 85 24 C1 68 49 2A D9 A6 34 0A 28 3C 1F 3F 6C 86 34 79 A6 DD 63 08 09 44 37 2F 0C A4 F1 51 E9 53 C0 FA 52 FD CF 04 85 DF 04 A3 30 5E 35 6B 36 4E 47 E2 57 D4 09 F4 44 78 14 E8 08 DA C8 4F 8A BB 7B 1A 5E E5 DF 9A 1F 46 74 54 91 51 13 3A 49 7F 7B 9B 1E C1 DE 17 8E C2 81 34 E2 B9 A0 D7 C8 0F 8B 1D 52 FB 92 43 34 43 95 90 7D 44 C5 74 9B EB D9 F8 D4 47 34 96 AE 59 CE 62 F1 74 1B DF C0 AD 11 20 7D EF 89 2C 05 0E B3 D2 68 A9 1C 41 DE EE BA 39 65 14 85 87 28 86 6B 9D 9F CC A6 2D DD AD 24 D4 18 3F C6 04 A7 37 46 09 17 C1 48 63 46 11 56 87 30 D6 CC 0C FD 6F C6 6B 65 A7 28 7E 4A 1B FE F2 A0 AB E1 30 DC 2D 36 70
10:34:09 [main] DEBUG: SignatureCalculator - EM: 2C 77 F0 22 F0 89 19 4F 92 BB BB CB 29 8E EF 49 1C 38 90 CF 84 85 24 C1 68 49 2A D9 A6 34 0A 28 3C 1F 3F 6C 86 34 79 A6 DD 63 08 09 44 37 2F 0C A4 F1 51 E9 53 C0 FA 52 FD CF 04 85 DF 04 A3 30 5E 35 6B 36 4E 47 E2 57 D4 09 F4 44 78 14 E8 08 DA C8 4F 8A BB 7B 1A 5E E5 DF 9A 1F 46 74 54 91 51 13 3A 49 7F 7B 9B 1E C1 DE 17 8E C2 81 34 E2 B9 A0 D7 C8 0F 8B 1D 52 FB 92 43 34 43 95 90 7D 44 C5 74 9B EB D9 F8 D4 47 34 96 AE 59 CE 62 F1 74 1B DF C0 AD 11 20 7D EF 89 2C 05 0E B3 D2 68 A9 1C 41 DE EE BA 39 65 14 85 87 28 86 6B 9D 9F CC A6 2D DD AD 24 D4 18 3F C6 04 A7 37 46 09 17 C1 48 63 46 11 56 87 30 D6 CC 0C FD 6F C6 6B 65 A7 28 7E 4A 1B FE F2 A0 AB E1 30 DC 2D 36 70 B2 4F C3 68 8A 79 2A B0 E4 EE 22 1B B8 96 45 13 06 B2 7E 0B 04 33 46 93 6F 5E 3F D3 2D F3 07 2A BC
10:34:09 [main] DEBUG: CertificateVerifyPreparator - Signature: 42 4E C0 99 81 34 DB AA F0 33 47 6A 41 3B D4 8F CE 9A B3 31 D1 3B 35 2D A4 B3 08 50 41 D3 1E 89 AD 2F BF 7A BD 78 7B 66 B2 CB B8 31 4E A3 F5 CB D0 05 C9 5C D9 1E 12 0A 8D 81 57 C6 6B 7C 91 C0 46 37 D4 24 36 13 DD 83 1F E5 1D 3C F6 53 3F 7C 70 FA 21 46 5C 17 9D 38 B7 DE C6 81 BD 03 D6 D0 93 BA E0 08 1A 46 C4 98 43 F8 90 47 B9 F2 3E CF BB 2C 0F B9 50 1E 16 F7 AE 8E EC 66 4D 5E 4B 46 55 8E 01 12 E7 4C 69 83 F0 1D F0 77 BA 7D 0F 70 31 DA 47 1F F7 E9 B2 F0 95 CB 4A 2B 1C 48 8C 3F B4 0B B5 43 7A 29 80 9B E6 7A 07 E6 22 78 97 41 D9 A1 CC 27 0E BC B5 D1 54 12 5E 03 3C C4 DF 17 76 C8 40 76 03 02 86 00 69 8E 85 88 95 35 0C 59 ED 65 15 99 EA 0C DC D6 E0 58 0A 4D 71 20 1B 26 59 29 E4 FD 6D C6 3D AD 0A 45 F9 F6 C8 CA E0 13 C7 14 9C D7 79 86 28 DB B0 31 5F 83 54 DF 2D
10:34:09 [main] DEBUG: CertificateVerifyPreparator - SignatureLength: 255
10:34:09 [main] DEBUG: CertificateVerifyPreparator - SignatureHasAlgorithm: 08 04
10:34:09 [main] DEBUG: CertificateVerifySerializer - Serializing CertificateVerifyMessage
10:34:09 [main] DEBUG: CertificateVerifySerializer - SignatureHashAlgorithms: 08 04
10:34:09 [main] DEBUG: CertificateVerifySerializer - SignatureLength: 255
10:34:09 [main] DEBUG: CertificateVerifySerializer - Signature: 42 4E C0 99 81 34 DB AA F0 33 47 6A 41 3B D4 8F CE 9A B3 31 D1 3B 35 2D A4 B3 08 50 41 D3 1E 89 AD 2F BF 7A BD 78 7B 66 B2 CB B8 31 4E A3 F5 CB D0 05 C9 5C D9 1E 12 0A 8D 81 57 C6 6B 7C 91 C0 46 37 D4 24 36 13 DD 83 1F E5 1D 3C F6 53 3F 7C 70 FA 21 46 5C 17 9D 38 B7 DE C6 81 BD 03 D6 D0 93 BA E0 08 1A 46 C4 98 43 F8 90 47 B9 F2 3E CF BB 2C 0F B9 50 1E 16 F7 AE 8E EC 66 4D 5E 4B 46 55 8E 01 12 E7 4C 69 83 F0 1D F0 77 BA 7D 0F 70 31 DA 47 1F F7 E9 B2 F0 95 CB 4A 2B 1C 48 8C 3F B4 0B B5 43 7A 29 80 9B E6 7A 07 E6 22 78 97 41 D9 A1 CC 27 0E BC B5 D1 54 12 5E 03 3C C4 DF 17 76 C8 40 76 03 02 86 00 69 8E 85 88 95 35 0C 59 ED 65 15 99 EA 0C DC D6 E0 58 0A 4D 71 20 1B 26 59 29 E4 FD 6D C6 3D AD 0A 45 F9 F6 C8 CA E0 13 C7 14 9C D7 79 86 28 DB B0 31 5F 83 54 DF 2D
rsa_client4096_trace.txt
rsa_server4096_trace.txt