hash_algo for Ed25519 and Ed448 should not expose internals #230
Conversation
Unlike RSA which requires hashing prior to signing, pure Ed25519 and Ed448 signing algorithm identifiers do not refer to the "hashing algorithm" at all. certvalidator uses this to detect [weak hashing algorithms](https://github.com/wbond/certvalidator/blob/0.11.1/certvalidator/validate.py#L306), but passing hashing algorithm separately to EdDSA signing/verification functions makes no sense. [pyca/cryptography](https://cryptography.io/en/37.0.2/x509/reference/#cryptography.x509.Certificate.signature_hash_algorithm) prefers to say None here. Let's call it "raw" then.
|
Looks like two conflicting meanings of "hash_algo" here:
(the examples are from certvalidator, but I think it is asn1crypto which should define its meaning and values). |
|
There are pre-hashed variants called Ed25519ph and Ed448ph, but IETF decided not to assign OID values to the hashed variants yet and therefore cannot be used in the X.509 certificates. |
|
Hi, author of #205 here. You're of course right that these hashes are for internal use, and I'm also aware that there are no OIDs for the pre-hashed variants of EdDSA. When I drafted the PR, I decided to supply values for
(Granted, I'm not 100% sure about the implications of using SHAKE256 as a message digest function in a CMS signature, but at least for Ed25519, SHA512 is a very reasonable default.) I confess that I was thinking more of CMS than of X.509 when I made that PR, but I think a case can be made for both options. That said, regardless of the option we pick, a comment explaining the rationale wouldn't be out of place, I guess... Thoughts? |
|
Thank you for your insightful answer @MatthiasValvekens ! RFC 8419 Use of Edwards-Curve Digital Signature Algorithm (EdDSA) Signatures in the Cryptographic Message Syntax (CMS) tells us exactly this:
So we need this information somewhere to make CMS work. In my patch to certvalidator I override this value explicity since to makes no sense to certificate validation. Maybe this function should be named differently (or moved into CMS-specific code)? What should be the one-line description of that |
|
Right, thanks for the reference! I should've known, I've cited that exact text in another draft standard some time last summer... Memory is a funny thing. Maybe splitting this property into two separate ones would indeed make sense, but I hesitate to make that call without maintainer input... Is there any reason why the current way of doing things breaks certvalidator? As it happens, I maintain my own fork of certvalidator; it includes support for ed25519 and ed448 signatures, in addition to a bunch of other, more fundamental changes (those aren't upstreamable because I dropped Python <3.7 support). FYI, this is how I addressed the problem over there: https://github.com/MatthiasValvekens/certvalidator/blob/8f723a123845c7783e1e10ca907a3d9568ae616b/pyhanko_certvalidator/util.py#L210-L275. As you can see, my validation routine simply ignores the hash parameter. |
|
It does not break it, it is my own lousy programming that did it: Instead of a series of For this, I have added a compatible Anticipating pre-hashed EdDSA support (this is certainly https://www.martinfowler.com/bliki/Yagni.html) the only currently acceptable value is "raw" (maybe the value should be "pure" or And then https://github.com/wbond/certvalidator/blob/e53c06ad7f450e85808962a20f14825a43eccbc9/certvalidator/validate.py#L304 So maybe SignedDigestAlgorithm.hash_algo should be left alone for the purpose of CMS, and the mapping should be changed in Certificate.hash_algo - by returning "raw" or |
|
From reading through the discussion, I think what makes sense to me is:
Does that sound reasonable? |
|
That sounds reasonable, yes! The current So, functionally, the change is equivalent to this:
|
|
I like it, too. But we need to update cms code for this, right? |
|
I suppose it's technically a breaking change, but it only affects EdDSA usage, and the number of people using Ed25519 in CMS is still relatively low, since other tech standards that rely on CMS (e.g. PDF) are only now starting to catch up. The number of asn1crypto users in this category is probably even smaller---I'm one of them, though. Ideally, this should come with a major version increase (does this project follow semver?), but even if not, the impact is comparatively minor, and the change on the caller end is quite trivial. TL;DR: Regardless of how we make the change, there's no better time frame than now. |
|
We could probably get away with not doing a 2.0 by throwing a |
Would we? Raising |
|
Now I wonder if https://github.com/wbond/certvalidator/blob/e53c06ad7f450e85808962a20f14825a43eccbc9/certvalidator/validate.py#L304 should not really access what we just called |
The idea is that technically it is bug that |
|
One more remark:
Not sure I agree with this, to be honest. I'd argue that that problem is better addressed by allowing signature algorithms to be marked as deprecated. After all, it could theoretically also happen that SHA-256 winds up broken in a way that doesn't really affect ed25519 security in any meaningful way. Supporting signature algorithm deprecation seems better suited for another PR, IMHO. |
|
I am fully with you @MatthiasValvekens on this one - I just wanted to look at the current status and didn't dare to think what the proper solution would be. I somehow like NSS' bureaucratic "policy" settings, where you can turn your ciphers on and off as you like. Maybe we just fire up |
Yep, sounds about right.
Just to make sure I understand what you meant: is |
|
no, not a typo - just a tongue in cheek proposal to introduce yet another function for that :) |
|
Since |
Add .cms_hash_algo as a replacement. See discussion at #230 for details.
|
@MatthiasValvekens @saper I've posted #265 as the proposed fix. I'll probably cut it as 2.0 along with any other minor breaking changes that have been pending. |
Add .cms_hash_algo as a replacement. See discussion at #230 for details.
|
I have committed a fix for this in #265 |
Some distros already ship the master build of asn1crypto since it's been so long without a release, so we have to address this. See wbond/asn1crypto#230
The change in question has been merged into master upstream a long while ago, but it is not in any PyPI release yet. Nonetheless, some distros already ship this new version, so we have to find a way to stay compatible with both. See wbond/asn1crypto#230. Fixes #12
- pyhanko-certvalidator >= 0.26.5 - certomancer >= 0.12.3 This is to deal with wbond/asn1crypto#230. Even though this change is not on PyPI, some distros already ship it.
Unlike RSA which requires hashing prior to signing, pure
Ed25519 and Ed448 signing algorithm identifiers do not refer
to the "hashing algorithm" at all.
certvalidator uses this to detect weak hashing algorithms,
but passing hashing algorithm separately to EdDSA signing/verification
functions makes no sense.
pyca/cryptography prefers to say None here.
Let's call it "raw" then.