NOVERIFY flag

[dirkx]

Note that by simplifying the chain validation code - we are now no longer checken the chain properly. It is no longer anchored.

Unfortunately solving this in pyopenss is not easy -- see https://github.com/pyca/pyopenssl/issues/1031

[panzi]

we are now no longer checken the chain properly

Are you talking of my version of verify_detached_signature()? This flag is also used in the library you originally used, see: https://github.com/jnewbigin/pkcs7_detached/blob/1681424f903bdf22aa11d7430a605dc65f758f8b/pkcs7_detached/__init__.py#L86

I just implemented it myself so:

• I don't need to decode/encode/decode everything for no reason.
• It handles binary data correctly. (Gladly there are no non-ASCII characters in the JSON we had to verify, so there was no problem, but still. That seemed a bit iffy in that lib.)
• I added missing ffi error handling!
• I don't need yet another library this way.

[dirkx]

On 31 Jul 2021, at 18:15, Mathias Panzenböck @.***> wrote:

we are now no longer checken the chain properly

Are you talking of my version of verify_detached_signature()? This flag is also used in the library you originally used,

So that is very wrong then, It sort of negates the whole check I guess. And calling out to the openssl executable is far from ideal.

Dw.

[panzi]

What purpose flag would be the right one?

[panzi]

@dirkx I've made a pull request to pyca/cryptography that adds the functions and related constants you've mentioned, but since I don't know about this cryptography stuff I don't know how to write proper tests for it and as such the coverage tests fail. Would you know how to write proper tests that include the PKCS7_get0_signers() and X509_STORE_set_purpose() functions? See also: https://github.com/pyca/cryptography/pull/6187

[dirkx]

On 31 Jul 2021, at 21:06, Mathias Panzenböck @.***> wrote:

@dirkx https://github.com/dirkx I've made a pull request to pyca/cryptography that adds the functions you mentioned and related constants, but since I don't know about this cryptography stuff I don't know how to write proper tests for it and as such the coverage tests fail. Would you know how to write proper tests that include the PKCS7_get0_signers() and X509_STORE_set_purpose() functions? See also: pyca/cryptography#618 https://github.com/pyca/cryptography/pull/6187OK - will do !

Dw.

[dirkx]

On 31 Jul 2021, at 20:47, Mathias Panzenböck @.***> wrote:

What purpose flag would be the right one?

Fairly dependent on the setting - for JWT, or for example for all the stuff you need to do for AWS-CLI magic -- the common one is basically ANY (as there it does not matter).

Dw

[panzi]

I'm currently in the process of trying to implement this verification by hand (using asn1crypto to parse the ASN.1 data) and in doing so found out that it was the wrong root certificate anyway! The correct one is: http://cert.pkioverheid.nl/EVRootCA.cer

[panzi]

I managed to verify the trust chain manually... but currently failing at the actual signature.

[dirkx]

Ok - if you sent me what you have (or commit it) - happy to have a look and do a bit of puzzling.

[dirkx]

Sorry - yes we changed that - thought I had changed the script too.

[panzi]

This is what I currently have: https://github.com/panzi/verify-ehc/blob/1c7dd5246d1aa8bc8b8178573a1313f471d3c738/verify_ehc.py#L927

The trust chain verification works, but then the verification of the payload fails somehow. Adding debug prints to Python cryptography library just tells me the OpenSSL error: error:04091068:rsa routines:int_rsa_verify:bad signature

[panzi]

There are a lot of debug prints in there right now.

[panzi]

Also verified: The digest I calculate is the message digest inside the signed data. Really only the last verification step fails. Really not sure how else I could call the public_key.verify() function.

[dirkx]

So the issue is that you need to verify the signature on the entire signed-data block - which includes things such as the date; see https://datatracker.ietf.org/doc/html/rfc5652#section-5.4

And note the shenanigans around the EXPLICIT SET OF. Won’t have the time in the next 24 hours to see if I can fix this.

Dw

[dirkx]

See this line - i.e. change the first byte of the signed_attr section (in DER):

https://github.com/dirkx/arduino-esp32/blob/0e54ded4366d99b018efb9c628b9409df1f0537b/libraries/Update/src/mbedtls-ts-addons/ts.cpp#L639

[panzi]

Thank you for your help! With this information and a little bit of trying around I finally managed it! See: https://github.com/panzi/verify-ehc/blob/228b21dfe23f503ceb49a36c2ed225c937a66d8f/verify_ehc.py#L796

So I'm closing this issue now. :smile:

[dirkx]

Splendid !