openssl and dsa keys

[timlegge]

I seem to remember seeing something about DSA keys being disabled by default. Is that correct?

The latest compiled from the repo does not seem to support them any more. I realise they are not secure but being able to verify or decrypt was useful.

[lsh123]

The DSA is not disabled by default and you should see it when you run './configure' . However you might have run into another potential security problem that I wanted to fix for a while and finally fixed recently. This change breaks API/ABI for obvious reasons and I wanted to do as many of the breaking changes at once as possible:

• (API breaking change) Changed the key search to strict mode: only keys referenced by KeyInfo are used. To restore the old "lax" mode set XMLSEC_KEYINFO_FLAGS_LAX_KEY_SEARCH flag on xmlSecKeyInfoCtx or use '--lax-key-search' option for XMLSec command line utility.

(see notes)

[timlegge]

Thanks, I will check that. Timothy Legge ***@***.*** ***@***.***

…

On Mon, Feb 27, 2023 at 12:53 AM lsh123 ***@***.***> wrote: The DSA is not disabled by default and you should see it when you run './configure' . However you might have run into another potential security problem that I wanted to fix for a while and finally fixed recently. This change breaks API/ABI for obvious reasons and I wanted to do as many of the breaking changes at once as possible: - (API breaking change) Changed the key search to strict mode: only keys referenced by KeyInfo are used. To restore the old "lax" mode set XMLSEC_KEYINFO_FLAGS_LAX_KEY_SEARCH flag on xmlSecKeyInfoCtx or use '--lax-key-search' option for XMLSec command line utility. (see notes <https://github.com/lsh123/xmlsec/blob/6e197072ee8355542a70404e660abc1a50f9dc45/docs/index.html#L82> ) — Reply to this email directly, view it on GitHub <#556 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAH3N64WJMJTN323O324HF3WZQXNXANCNFSM6AAAAAAVI3WYPU> . You are receiving this because you authored the thread.Message ID: ***@***.***>

[timlegge]

Hi @lsh123

I found the issue:

git diff 5629c7e 42e07c2

seems to cause my issue.

xmlsec/src/openssl/signatures.c

Line 847 in d3dda5d

signHalfLen = ctx->dsaOutputLen / 2;

gets the size from the structure ctx but

xmlsec/src/openssl/signatures.c

Line 258 in d3dda5d

ctx->dsaOutputLen = 2 * XMLSEC_OPENSSL_SIGNATURE_DSA_SHA256_HALF_LEN;

If SHA_256 is enabled it overwrites the signature size for SHA1 40 with 64 (SHA256)

This is incorrect since the size of the signature needed here depends on the size of the signature algorithm signature not whether one of the signatures are enabled.

xmlsec/src/openssl/signatures.c

Line 258 in d3dda5d

ctx->dsaOutputLen = 2 * XMLSEC_OPENSSL_SIGNATURE_DSA_SHA256_HALF_LEN;

Changing the following fixes my issue but is obviously incorrect. The signature size is depended on the algorithm

diff --git a/src/openssl/signatures.c b/src/openssl/signatures.c
index 865a8380..e99129e6 100644
--- a/src/openssl/signatures.c
+++ b/src/openssl/signatures.c
@@ -233,7 +233,7 @@ xmlSecOpenSSLSignatureInitialize(xmlSecTransformPtr transform) {
         ctx->keyId          = xmlSecOpenSSLKeyDataDsaId;
         ctx->signCallback   = xmlSecOpenSSLSignatureDsaSign;
         ctx->verifyCallback = xmlSecOpenSSLSignatureDsaVerify;
-        ctx->dsaOutputLen   = 2 * XMLSEC_OPENSSL_SIGNATURE_DSA_SHA256_HALF_LEN;
+        ctx->dsaOutputLen   = 2 * XMLSEC_OPENSSL_SIGNATURE_DSA_SHA1_HALF_LEN;
     } else
 #endif /* XMLSEC_NO_SHA256 */

calling xmlsec1 failed: 'func=xmlSecOpenSSLSignatureDsaVerify:file=signatures.c:line=867:obj=unknown:subj=DSA signatue len:error=4:crypto library function failed:signHalfLen=32; signLen=40; openssl error: error:00000000:lib(0)::reason(0)
func=xmlSecOpenSSLSignatureVerify:file=signatures.c:line=440:obj=dsa-sha256:subj=verifyCallback:error=1:xmlsec library function failed: 
func=xmlSecTransformVerifyNodeContent:file=transforms.c:line=1545:obj=dsa-sha256:subj=xmlSecTransformVerify:error=1:xmlsec library function failcalling xmlsec1 failed: 'func=xmlSecOpenSSLSignatureDsaVerify:file=signatures.c:line=867:obj=unknown:subj=DSA signatue len:error=4:crypto library function failed:signHalfLen=32; signLen=40; openssl error: error:00000000:lib(0)::reason(0)
func=xmlSecOpenSSLSignatureVerify:file=signatures.c:line=440:obj=dsa-sha256:subj=verifyCallback:error=1:xmlsec library function failed: 
func=xmlSecTransformVerifyNodeContent:file=transforms.c:line=1545:obj=dsa-sha256:subj=xmlSecTransformVerify:error=1:xmlsec library function failed: 
func=xmlSecDSigCtxVerify:file=xmldsig.c:line=367:obj=unknown:subj=xmlSecTransformVerifyNodeContent:error=1:xmlsec library function failed: 
Error: signature failed 
ERROR
SignedInfo References (ok/all): 1/1
Manifests References (ok/all): 0/0
Error: failed to verify file "t/dsa.xml"
'
# Tests were run but no plan was declared and done_testing() was not seen.
ed: 
func=xmlSecDSigCtxVerify:file=xmldsig.c:line=367:obj=unknown:subj=xmlSecTransformVerifyNodeContent:error=1:xmlsec library function failed: 
Error: signature failed 
ERROR
SignedInfo References (ok/all): 1/1
Manifests References (ok/all): 0/0
Error: failed to verify file "t/dsa.xml"
'
# Tests were run but no plan was declared and done_testing() was not seen.

[lsh123]

Sorry this doesn't sound right... the code looks like this:

#ifndef XMLSEC_NO_SHA1
    if(xmlSecTransformCheckId(transform, xmlSecOpenSSLTransformDsaSha1Id)) {
        ...
        ctx->dsaOutputLen   = 2 * XMLSEC_OPENSSL_SIGNATURE_DSA_SHA1_HALF_LEN;
    } else
#endif /* XMLSEC_NO_SHA1 */

#ifndef XMLSEC_NO_SHA256
    if(xmlSecTransformCheckId(transform, xmlSecOpenSSLTransformDsaSha256Id)) {
         ...
        ctx->dsaOutputLen   = 2 * XMLSEC_OPENSSL_SIGNATURE_DSA_SHA256_HALF_LEN;
    } else
#endif /* XMLSEC_NO_SHA256 */

I.e. it is setting expected output length based on the transform (algorithm) that was used. This hints strongly that you are using DSA with SHA256 in the XML file.

BTW, there are tests for both DSA-SHA1 and DSA-SHA256 in the xmlsec/tests/ folder and it all works correctly when both are enabled.

[timlegge]

@lsh123 you are right the xml is below. It is possible that I have an issue in perl's XML::Sig's DSA code. I will look.

Thanks

<?xml version="1.0"?>
<samlp:ArtifactResolve xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" ID="_cce4ee769ed970b501d680f697989d14" IssueInstant="2010-09-18T17:33:01Z" Version="2.0">
  <!-- this is a comment - we can still sign and verify -->
  <saml:Issuer>http://dev/cgi-bin/zxidhlo.pl?o=B</saml:Issuer>
  <samlp:Artifact>AAQAALN+k3vq4G80Xko1XPLwwxsvPbU/JPFWdERp73EBAjuV4yT7ce9UMDQ=</samlp:Artifact>
<dsig:Signature>
            <dsig:SignedInfo xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
                <dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                <dsig:SignatureMethod Algorithm="http://www.w3.org/2009/xmldsig11#dsa-sha256"/>
                <dsig:Reference URI="#_cce4ee769ed970b501d680f697989d14">
                        <dsig:Transforms>
                            <dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                            <dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                        </dsig:Transforms>
                        <dsig:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                        <dsig:DigestValue>o4mhQtq+4TAjKsezgW2o5sNVcxejTNWtTzPfPg/7+70=</dsig:DigestValue>
                    </dsig:Reference>
            </dsig:SignedInfo>
            <dsig:SignatureValue>jRZpBYWjU+MXr7hiS7fRA7XMSsiDaojyJwL1JVyD2HFHGZooUK+Qcw==
</dsig:SignatureValue>
            <dsig:KeyInfo>
                             <dsig:KeyValue>
                              <dsig:DSAKeyValue>
                               <dsig:P>3F1cWxyKaQ3LvrmNQ3VhC8V1V6D8kG0BTaNDcBCOvv6QCs+C47dwl2XQYTFFFj2h4JDh9Lb0iN/7SeyX6TDm+lZzC+NaDzsM3MkEFDjGRD1Nmv7U9qKXlt926XAmnaJah+7TEMZnQpfp7sw3gx9ySg2wOrxcsJron2M9BaXNZqE=</dsig:P>
                               <dsig:Q>rV9QMZEZe+gHIYZ0bkmCtFTwKyc=</dsig:Q>
                               <dsig:G>p//HjldAAFBB4ZQJuoLIw62OZoLrZCJaTmcH+btMxz7y2GpagNemN6IAHfFiZ6eU5fSI+BZX2dnOTnG4rp4ZR2HSUQxk4SFTDduwidVx74KnOgGc6uC5h7sFI0EyGN5Nh0Sy8qVA2A4MGcYcN/mIRvzcNvpRDDzyw19EREK4tFg=</dsig:G>
                               <dsig:Y>Ncpnjk0HvI1GuGrgGS3WegzXVZw3eY/WHuopfkEams5n1GF/y0pewgiZBcQkLOcLriwMWeg1NS87UNk0IWo9Md9OvYFL0Ss0cK6f8IPNDBFDX4QpRf/D8n10v78PWGjrxlV5NRm2EVrEMSrFaUGlUlEuoxi0UrDLE/8yz7QXJZU=</dsig:Y>
                              </dsig:DSAKeyValue>
                             </dsig:KeyValue>
                            </dsig:KeyInfo>
        </dsig:Signature></samlp:ArtifactResolve>

[timlegge]

Ah, I see the issue. I changed the default signing algorithm in XML::Sig to sha256 a while back but that particular test was using was a 1024 bit key.

Sorry for being confused...

[lsh123]

Glad you found it. While it's definitely more secure, DSA-SHA256 is not very common and you might run into interoperability problems with other systems.

[timlegge]

Hi Yes, it was added mostly because it was not difficult to add and for completeness. Not really something anyone should be using at this point. Tim Timothy Legge ***@***.*** ***@***.***

…

On Tue, Feb 28, 2023 at 10:08 AM lsh123 ***@***.***> wrote: Glad you found it. While it's definitely more secure, DSA-SHA256 is not very common and you might run into interoperability problems with other systems. — Reply to this email directly, view it on GitHub <#556 (reply in thread)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAH3N6ZNDWYJBYXGHIW3PLTWZYBHRANCNFSM6AAAAAAVI3WYPU> . You are receiving this because you authored the thread.Message ID: ***@***.***>

[lsh123]

"I changed the default signing algorithm in XML::Sig to sha256"

I was referring to making it default :)

[timlegge]

Hi You make a valid point :-) Timothy Legge ***@***.*** ***@***.***

…

On Tue, Feb 28, 2023 at 11:58 AM lsh123 ***@***.***> wrote: "I changed the default signing algorithm in XML::Sig to sha256" I was referring to making it default :) — Reply to this email directly, view it on GitHub <#556 (reply in thread)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAH3N6YDKO7OLENZAVVC2SDWZYODXANCNFSM6AAAAAAVI3WYPU> . You are receiving this because you authored the thread.Message ID: ***@***.***>