cfrg / draft-irtf-cfrg-opaque

The OPAQUE Asymmetric PAKE Protocol
https://cfrg.github.io/draft-irtf-cfrg-opaque/draft-irtf-cfrg-opaque.html
Other
100 stars 20 forks source link

CleartextCredentials serialization is unspecified #469

Open iaik-jheher opened 1 day ago

iaik-jheher commented 1 day ago

CleartextCredentials is specified as:

struct {
  uint8 server_public_key[Npk];
  uint8 server_identity<1..2^16-1>;
  uint8 client_identity<1..2^16-1>;
} CleartextCredentials;

An instance of CleartextCredentials is then concatenated with the envelope nonce to generate the auth_tag:

auth_tag =
    MAC(auth_key, concat(envelope_nonce, cleartext_credentials))

However, the document does not specify anywhere how to serialize a CleartextCredentials structure to bytes. As opposed to every other structure in the document, which has fixed field lengths (and can simply be serialized by concatenating the fields), CleartextCredentials has two fields with dynamic lengths. It is not immediately obvious how it should be serialized.

I was able to make an educated guess (based on the length constraint) that CleartextCredentials should be serialized as:

concat(
    server_public_key,
    I2OSP(len(server_identity), 2), server_identity,
    I2OSP(len(client_identity), 2), client_identity)

Which also then matches the provided test vectors. Nevertheless, this should be specified in the document.

iaik-jheher commented 1 day ago

This also affects CustomLabel. I suspect that language similar to RFC 8446's section 3.4 is missing.