Debugging SSL on Linux

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
14 messages Options
Reply | Threaded
Open this post in threaded view
|

Debugging SSL on Linux

Ron Teitelbaum

Hello everyone,

 

Can anyone help debugging SSL on Linux?

 

This is from Norbert:

 

I'm using it on linux with squeak vm 3.9-8 #5 Tue Oct 10 11:56:09 PDT 2006 gcc 4.0.3 Squeak3.9alpha of 4 July 2005 [latest update: #7021] Linux ubuntu 2.6.15-27-386 #1 PREEMPT Sat Sep 16 01:51:59 UTC 2006 i686 GNU/Linux default plugin location: /usr/local/lib/squeak/3.9-8/*.so and a stock 3.9 7067 image. I tried using a fresh copy of the image but the errors stay the same errors.

 

I tried using the url that Norbert gave and it worked fine on Windows.

 

'https://home.selfish.org' asUrl retrieveContents.

 

Could someone try this on Linux and see if they can help provide info as to what is going wrong.  I suspect that the client hello is causing the server to disconnect.  Maybe an Endian issue?

 

Thanks,


Ron Teitelbaum
Squeak Cryptography Team Leader


_______________________________________________
Cryptography mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/cryptography
Reply | Threaded
Open this post in threaded view
|

Re: Debugging SSL on Linux

Rob Withers
Ron and Norbert,

I found that SSL failed to establish a connection on the Mac, and I suspect the same is actually true on Windows, on close inspection.  The resulting MIMEDocument has an error when evaluating the example:

'https://home.selfish.org' asUrl retrieveContents.

I debugged into the SSLSocket and found where the ProtocolCap was getting killed.  This occurred when processing the SSLCertificateMsg, with a certificate chain of 2 certificates.  The new code I added to verify certificates is having a problem verifying certificate 1 with certificate 2.

Digging a little further showed that there are 3 problems, the 2nd and 3rd hidden by the 1st.  

The 1st problem is the comparison if cert1's issuer with cert2's subject.  One part of these X509Names is a Pkcs9EmailAddress, which is wrapping a ASN1IA5String.  This class (ASN1IA5String) is missing an #= operation, and so they are claiming they are not equal.  I fixed this.


The 2nd and 3rd problems are ASN1 encoding/decoding problems.

The 2nd problem is an issue with tag 12 being encoded as 19, the default for a String.
the source bytes encoded with this code
| bytes |
bytes := #(160 18 12 16 104 111 109 101 46 115 101 108 102 105 115 104 46 111 114 103) asByteArray.
(ASN1Value fromAsnDer: bytes readStream) encodeAsnDer.

encode as
#(160 18 19 16 104 111 109 101 46 115 101 108 102 105 115 104 46 111 114 103)

check the third byte to see the problem.  Since the TBSCertificate are reencoded for signature checking, the ASN1 hierarchy must be able to reencode precisely.  So I added several classes for different types of strings (ASN1PrintableString, ASN1UniversalString, and ASN1BMPString) and updated the tag table to use them.  This solves this problem, but there are still holes in the ASN1 tag framework.


The 3rd problem is an ASN1 decoding problem with an ASN1ExplicitContextValue class, that is embedded in a CertificateExtension.  Here is the ExplicitContextValue part, which seems to be malformed:

| bytes ext  |
bytes := #(160 30 6 8 43 6 1 5 5 7 8 5 160 18 12 16 104 111 109 101 46 115 101 108 102 105 115 104 46 111 114 103) asByteArray.
ext := (ASN1Value fromAsnDer: bytes readStream).
ext encodeAsnDer

resulting in:
a ByteArray (160 10 6 8 43 6 1 5 5 7 8 5)

Notice the 2nd byte.  Now this being embedded means that the part that dropped off is actualy captured in the certExtension, and when he certExtension encdes itself, here is the fragment that it encodes:

a ByteArray (160 10 6 8 43 6 1 5 5 7 8 5 160 18 12 16 104 111 109 101 46 115 101 108 102 105 115 104 46 111 114 103)

The original bytes gave a length of 30, which captured 2 values and I didn't think a ExplicitContextValue could do that.  The encoded bytes have a length of 10 which is just the first element.  When it decodes, instead of grabbing the bytes specified by length it just decodes the next ASN1Value, the first chunk.  So here is how it breaks down:

<{160} [30] (
<{6} [8] (43 6 1 5 5 7 8 5)> 
<{160} [18] (
<{12} [16] (104 111 109 101 46 115 101 108 102 105 115 104 46 111 114 103)>
)>
)>

Now, either an ExplicitContextValue can have 2 values like this, and we need to change some code, or this is malformed.  Please advise if we can change ExplicitContextValue to handle this.  

If it is malformed, then because we are re-encoding the ASN1 bytes to do signatures, and since I added the Certificate Extensions, this is now breaking.  Either we need to save the original bytes to do signatures with, and avoid re-encoding, or else this correctly fails.  Saving the original bytes of ASN1 is a major rewrite.

Sorry I couldn't get this site working for you right away, but we will need to resolve this issue in the design, first.

Robert


On Mar 20, 2007, at 11:01 AM, Ron Teitelbaum wrote:

Hello everyone,

 

Can anyone help debugging SSL on Linux?

 

This is from Norbert:

 

I'm using it on linux with squeak vm 3.9-8 #5 Tue Oct 10 11:56:09 PDT 2006 gcc 4.0.3 Squeak3.9alpha of 4 July 2005 [latest update: #7021] Linux ubuntu 2.6.15-27-386 #1 PREEMPT Sat Sep 16 01:51:59 UTC 2006 i686 GNU/Linux default plugin location: /usr/local/lib/squeak/3.9-8/*.so and a stock 3.9 7067 image. I tried using a fresh copy of the image but the errors stay the same errors.

 

I tried using the url that Norbert gave and it worked fine on Windows.

 

'https://home.selfish.org' asUrl retrieveContents.

 

Could someone try this on Linux and see if they can help provide info as to what is going wrong.  I suspect that the client hello is causing the server to disconnect.  Maybe an Endian issue?

 

Thanks,


Ron Teitelbaum
Squeak Cryptography Team Leader

_______________________________________________
Cryptography mailing list


_______________________________________________
Cryptography mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/cryptography
Reply | Threaded
Open this post in threaded view
|

RE: Debugging SSL on Linux

Ron Teitelbaum

Hey Rob,

 

I’ll look more into the asn issue but this doesn’t explain why it works on my machine.

 

I was able to connect and retrieve data just fine, I just checked again with:

 

ANS1.26

Core.23

SSL.109

X509.32

 

I’ll try your new code but first I’ll verify the extension data and see if I can tell why it is parsing correctly on my machine.  I can’t get to it till tomorrow.

 

Thanks for looking at it!

Ron  

 


From: Robert Withers [mailto:[hidden email]]
Sent: Tuesday, March 20, 2007 4:43 PM
To: [hidden email]; Cryptography Team Development List
Cc: 'Norbert Hartl'
Subject: Re: [Cryptography Team] Debugging SSL on Linux

 

Ron and Norbert,

 

I found that SSL failed to establish a connection on the Mac, and I suspect the same is actually true on Windows, on close inspection. The resulting MIMEDocument has an error when evaluating the example:

 

'https://home.selfish.org' asUrl retrieveContents.

 

I debugged into the SSLSocket and found where the ProtocolCap was getting killed. This occurred when processing the SSLCertificateMsg, with a certificate chain of 2 certificates. The new code I added to verify certificates is having a problem verifying certificate 1 with certificate 2.

 

Digging a little further showed that there are 3 problems, the 2nd and 3rd hidden by the 1st.

 

The 1st problem is the comparison if cert1's issuer with cert2's subject. One part of these X509Names is a Pkcs9EmailAddress, which is wrapping a ASN1IA5String. This class (ASN1IA5String) is missing an #= operation, and so they are claiming they are not equal. I fixed this.

 

 

The 2nd and 3rd problems are ASN1 encoding/decoding problems.

 

The 2nd problem is an issue with tag 12 being encoded as 19, the default for a String.

the source bytes encoded with this code

          | bytes |

          bytes := #(160 18 12 16 104 111 109 101 46 115 101 108 102 105 115 104 46 111 114 103) asByteArray.

          (ASN1Value fromAsnDer: bytes readStream) encodeAsnDer.

 

encode as

          #(160 18 19 16 104 111 109 101 46 115 101 108 102 105 115 104 46 111 114 103)

 

check the third byte to see the problem. Since the TBSCertificate are reencoded for signature checking, the ASN1 hierarchy must be able to reencode precisely. So I added several classes for different types of strings (ASN1PrintableString, ASN1UniversalString, and ASN1BMPString) and updated the tag table to use them. This solves this problem, but there are still holes in the ASN1 tag framework.

 

 

The 3rd problem is an ASN1 decoding problem with an ASN1ExplicitContextValue class, that is embedded in a CertificateExtension. Here is the ExplicitContextValue part, which seems to be malformed:

 

          | bytes ext |

          bytes := #(160 30 6 8 43 6 1 5 5 7 8 5 160 18 12 16 104 111 109 101 46 115 101 108 102 105 115 104 46 111 114 103) asByteArray.

          ext := (ASN1Value fromAsnDer: bytes readStream).

          ext encodeAsnDer

 

resulting in:

          a ByteArray (160 10 6 8 43 6 1 5 5 7 8 5)

 

Notice the 2nd byte. Now this being embedded means that the part that dropped off is actualy captured in the certExtension, and when he certExtension encdes itself, here is the fragment that it encodes:

 

          a ByteArray (160 10 6 8 43 6 1 5 5 7 8 5 160 18 12 16 104 111 109 101 46 115 101 108 102 105 115 104 46 111 114 103)

 

The original bytes gave a length of 30, which captured 2 values and I didn't think a ExplicitContextValue could do that. The encoded bytes have a length of 10 which is just the first element. When it decodes, instead of grabbing the bytes specified by length it just decodes the next ASN1Value, the first chunk. So here is how it breaks down:

 

<{160} [30] (

          <{6} [8] (43 6 1 5 5 7 8 5)>

          <{160} [18] (

                      <{12} [16] (104 111 109 101 46 115 101 108 102 105 115 104 46 111 114 103)>

          )>

)>

 

Now, either an ExplicitContextValue can have 2 values like this, and we need to change some code, or this is malformed. Please advise if we can change ExplicitContextValue to handle this.

 

If it is malformed, then because we are re-encoding the ASN1 bytes to do signatures, and since I added the Certificate Extensions, this is now breaking. Either we need to save the original bytes to do signatures with, and avoid re-encoding, or else this correctly fails. Saving the original bytes of ASN1 is a major rewrite.

 

Sorry I couldn't get this site working for you right away, but we will need to resolve this issue in the design, first.

 

Robert

 

 

On Mar 20, 2007, at 11:01 AM, Ron Teitelbaum wrote:



Hello everyone,

Can anyone help debugging SSL on Linux?

This is from Norbert:

I'm using it on linux with squeak vm 3.9-8 #5 Tue Oct 10 11:56:09 PDT 2006 gcc 4.0.3 Squeak3.9alpha of 4 July 2005 [latest update: #7021] Linux ubuntu 2.6.15-27-386 #1 PREEMPT Sat Sep 16 01:51:59 UTC 2006 i686 GNU/Linux default plugin location: /usr/local/lib/squeak/3.9-8/*.so and a stock 3.9 7067 image. I tried using a fresh copy of the image but the errors stay the same errors.

I tried using the url that Norbert gave and it worked fine on Windows.

'https://home.selfish.org' asUrl retrieveContents.

Could someone try this on Linux and see if they can help provide info as to what is going wrong. I suspect that the client hello is causing the server to disconnect. Maybe an Endian issue?

Thanks,


Ron Teitelbaum
Squeak Cryptography Team Leader

_______________________________________________

Cryptography mailing list

 


_______________________________________________
Cryptography mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/cryptography
Reply | Threaded
Open this post in threaded view
|

RE: Debugging SSL on Linux

Ron Teitelbaum

Great that explains it.  I’ll look at the asn more closely and let you know tomorrow.

 

Ron

 


From: Robert Withers [mailto:[hidden email]]
Sent: Tuesday, March 20, 2007 6:26 PM
To: [hidden email]
Cc: 'Norbert Hartl'; 'Cryptography Team Development List'
Subject: Re: [Cryptography Team] Debugging SSL on Linux

 

Hey Ron,

 

You are back on the SSL version.  The latest is SSL.111.  You are missing all of the Certificate validation code that I put in and this is why you are able to connect, since all of the problems in this case are with validation.  Since you have the latest X509, you are decoding the CertificateExtensions, which would expose problems 2 and 3, but you aren't encoding them for signature validation, per the above reason, so you never have a problem.

 

Norbert, if you load SSL.109 it should work, while we get this issue fixed.  This is just missing a lot of security.

 

Rob

 

 

On Mar 20, 2007, at 3:03 PM, Ron Teitelbaum wrote:



Hey Rob,

 

I’ll look more into the asn issue but this doesn’t explain why it works on my machine.

 

I was able to connect and retrieve data just fine, I just checked again with:

 

ANS1.26

Core.23

SSL.109

X509.32

 

I’ll try your new code but first I’ll verify the extension data and see if I can tell why it is parsing correctly on my machine.  I can’t get to it till tomorrow.

 

Thanks for looking at it!

Ron  

 


From: Robert Withers [[hidden email]]
Sent: Tuesday, March 20, 2007 4:43 PM
To: [hidden email]; Cryptography Team Development List
Cc: 'Norbert Hartl'
Subject: Re: [Cryptography Team] Debugging SSL on Linux

 

Ron and Norbert,

 

I found that SSL failed to establish a connection on the Mac, and I suspect the same is actually true on Windows, on close inspection. The resulting MIMEDocument has an error when evaluating the example:

 

https://home.selfish.orgHello everyone,

This is from Norbert:

I tried using the url that Norbert gave and it worked fine on Windows.

Could someone try this on Linux and see if they can help provide info as to what is going wrong. I suspect that the client hello is causing the server to disconnect. Maybe an Endian issue?


Ron Teitelbaum
Squeak Cryptography Team Leader

_______________________________________________

Cryptography mailing list

 

 

 


_______________________________________________
Cryptography mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/cryptography
Reply | Threaded
Open this post in threaded view
|

RE: Debugging SSL on Linux

Ron Teitelbaum
In reply to this post by Rob Withers

Rob,

 

I took a quick look and you are right it is nasty.

 

30         32 (50):  

.           82         10 (16):    

.                       686F6D652E73656C666973682E6F7267    

.           A0        1E (30):                        

.           .           06         08 (8):

.           .                       2B06010505070805

.           .           A0        12 (18):

.           .           .           0C        10 (16):

.           .           .                       686F6D652E73656C666973682E6F7267

 

So it’s an explicit cv holding onto an explicit cv and another value.  Notice the problem goes back even further and happens twice for this extension.  So assuming that this problem matches with the asn rules then can we say that we encode, for size only, the content of an explicit contenxt value as a collection when the element size doesn’t match the first size.   

 

So encode is

 

            checkValueSize against next item and set value to collection if necessary, then decode until size is reached.

 

And decode is

           

            If value is collection then encode items in collection and then set size from encoded values.

 

I still want to check the docs but I’m guessing that I just missed this possibility. 

 

Since the ECV is just a wrapper for the tag number, (and your isPrimitive flag), would this cause any other problems?

 

Ron

 


From: Robert Withers [mailto:[hidden email]]
Sent: Tuesday, March 20, 2007 4:43 PM
To: [hidden email]; Cryptography Team Development List
Cc: 'Norbert Hartl'
Subject: Re: [Cryptography Team] Debugging SSL on Linux

 

Ron and Norbert,

 

I found that SSL failed to establish a connection on the Mac, and I suspect the same is actually true on Windows, on close inspection. The resulting MIMEDocument has an error when evaluating the example:

 

'https://home.selfish.org' asUrl retrieveContents.

 

I debugged into the SSLSocket and found where the ProtocolCap was getting killed. This occurred when processing the SSLCertificateMsg, with a certificate chain of 2 certificates. The new code I added to verify certificates is having a problem verifying certificate 1 with certificate 2.

 

Digging a little further showed that there are 3 problems, the 2nd and 3rd hidden by the 1st.

 

The 1st problem is the comparison if cert1's issuer with cert2's subject. One part of these X509Names is a Pkcs9EmailAddress, which is wrapping a ASN1IA5String. This class (ASN1IA5String) is missing an #= operation, and so they are claiming they are not equal. I fixed this.

 

 

The 2nd and 3rd problems are ASN1 encoding/decoding problems.

 

The 2nd problem is an issue with tag 12 being encoded as 19, the default for a String.

the source bytes encoded with this code

          | bytes |

          bytes := #(160 18 12 16 104 111 109 101 46 115 101 108 102 105 115 104 46 111 114 103) asByteArray.

          (ASN1Value fromAsnDer: bytes readStream) encodeAsnDer.

 

encode as

          #(160 18 19 16 104 111 109 101 46 115 101 108 102 105 115 104 46 111 114 103)

 

check the third byte to see the problem. Since the TBSCertificate are reencoded for signature checking, the ASN1 hierarchy must be able to reencode precisely. So I added several classes for different types of strings (ASN1PrintableString, ASN1UniversalString, and ASN1BMPString) and updated the tag table to use them. This solves this problem, but there are still holes in the ASN1 tag framework.

 

 

The 3rd problem is an ASN1 decoding problem with an ASN1ExplicitContextValue class, that is embedded in a CertificateExtension. Here is the ExplicitContextValue part, which seems to be malformed:

 

          | bytes ext |

          bytes := #(160 30 6 8 43 6 1 5 5 7 8 5 160 18 12 16 104 111 109 101 46 115 101 108 102 105 115 104 46 111 114 103) asByteArray.

          ext := (ASN1Value fromAsnDer: bytes readStream).

          ext encodeAsnDer

 

resulting in:

          a ByteArray (160 10 6 8 43 6 1 5 5 7 8 5)

 

Notice the 2nd byte. Now this being embedded means that the part that dropped off is actualy captured in the certExtension, and when he certExtension encdes itself, here is the fragment that it encodes:

 

          a ByteArray (160 10 6 8 43 6 1 5 5 7 8 5 160 18 12 16 104 111 109 101 46 115 101 108 102 105 115 104 46 111 114 103)

 

The original bytes gave a length of 30, which captured 2 values and I didn't think a ExplicitContextValue could do that. The encoded bytes have a length of 10 which is just the first element. When it decodes, instead of grabbing the bytes specified by length it just decodes the next ASN1Value, the first chunk. So here is how it breaks down:

 

<{160} [30] (

          <{6} [8] (43 6 1 5 5 7 8 5)>

          <{160} [18] (

                      <{12} [16] (104 111 109 101 46 115 101 108 102 105 115 104 46 111 114 103)>

          )>

)>

 

Now, either an ExplicitContextValue can have 2 values like this, and we need to change some code, or this is malformed. Please advise if we can change ExplicitContextValue to handle this.

 

If it is malformed, then because we are re-encoding the ASN1 bytes to do signatures, and since I added the Certificate Extensions, this is now breaking. Either we need to save the original bytes to do signatures with, and avoid re-encoding, or else this correctly fails. Saving the original bytes of ASN1 is a major rewrite.

 

Sorry I couldn't get this site working for you right away, but we will need to resolve this issue in the design, first.

 

Robert

 

 

On Mar 20, 2007, at 11:01 AM, Ron Teitelbaum wrote:



Hello everyone,

Can anyone help debugging SSL on Linux?

This is from Norbert:

I'm using it on linux with squeak vm 3.9-8 #5 Tue Oct 10 11:56:09 PDT 2006 gcc 4.0.3 Squeak3.9alpha of 4 July 2005 [latest update: #7021] Linux ubuntu 2.6.15-27-386 #1 PREEMPT Sat Sep 16 01:51:59 UTC 2006 i686 GNU/Linux default plugin location: /usr/local/lib/squeak/3.9-8/*.so and a stock 3.9 7067 image. I tried using a fresh copy of the image but the errors stay the same errors.

I tried using the url that Norbert gave and it worked fine on Windows.

'https://home.selfish.org' asUrl retrieveContents.

Could someone try this on Linux and see if they can help provide info as to what is going wrong. I suspect that the client hello is causing the server to disconnect. Maybe an Endian issue?

Thanks,


Ron Teitelbaum
Squeak Cryptography Team Leader

_______________________________________________

Cryptography mailing list

 


_______________________________________________
Cryptography mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/cryptography
Reply | Threaded
Open this post in threaded view
|

Re: Debugging SSL on Linux

Rob Withers
Ron,

I just want to reiterate that by not preserving the original bytes when decoding, we are forced to re-encode to check signatures.  With that comment out of the way...

First, I turned off CertificateExtension decoding and republished, so the latest code should now work.  I couldn't get it to work...

Second, this is long in the tooth...  

I am referring to the ASN1 book by Olivier Dubuisson, which you had referred me to at one point so I think you have access to this pdf.

Per Figure 18.2 on page 396, we are using the ASN1ExplicitContextValue to wrap APPLICATION {01cttttt}, Context-specific {10cttttt} and PRIVATE {11cttttt} values - tags 6 and 7.  They can be Primitive (Implicit) or Constructed (Explicit) - tag 5.  This specific example is using Explicit Context-specific [0] (see page 409, section 18.2.16 Tagged value, where the value of the Explicit triplet is itself one triplet).

Now, this section just named refers to page 216, which is the chapter on Constructed values.  I just scanned it and it seems necessary to define structures as a SEQUENCE, with no "implicit" structures - i.e. they don't seem to define a Context-specific type that can hold more than one Triplet without embedding it in a SEQUENCE.

So, here is the type definition for an Extension:

Extension         ::=   SEQUENCE {
   extnId            EXTENSION.&id ({ExtensionSet}),
   critical          BOOLEAN DEFAULT FALSE,
   extnValue         OCTET STRING }
                -- contains a DER encoding of a value of type

and the problem we are having is by trying to DER decode the extnValue field.  Here is the full data for that field, both raw and parsed with hex values:

#(48 50 130 16 104 111 109 101 46 115 101 108 102 105 115 104 46 111 114 103 160 30 6 8 43 6 1 5 5 7 8 5 160 18 12 16 104 111 109 101 46 115 101 108 102 105 115 104 46 111 114 103) asByteArray


SEQUENCE = T(30) L(32) V(
Implicit [2] = T(82) L(10) V(68 6F 6D 65 2E 73 65 6C 66 69 73 68 2E 6F 72 67)
Explicit [0] = T(A0) L(1E) V(
OID = T(06) L(08) V(2B 06 01 05 05 07 08 05)
Explicit [0] = T(A0) L(12) V(
String = T(0C) L(10) V(68 6F 6D 65 2E 73 65 6C 66 69 73 68 2E 6F 72 67))))

The outer is a SEQUENCE and is ok.  Inside, at the value of the first Explicit [0] Triplet, it is not a SEQUENCE, but it has 2 Triplets inside of it.  Looking at its Length (1E), it thinks it should be holding both Triplets.

The code is only grabbing the first Triplet when decoding an Explicit [0], and then the outer Sequence is decoding the second inner Triplet, so I actually get:

Sequence (
Implicit [2]
Explicit [0] (OID)
Explicit [0] (String))

instead of:

Sequence (
Implicit [2]
Explicit [0] (
OID
Explicit [0]))

the corresponding length is messed up when I re-encode it.

That's funny, as we agree.  I'll post to the ASN1 list...

later,
Rob

On Mar 20, 2007, at 4:30 PM, Ron Teitelbaum wrote:

So it’s an explicit cv holding onto an explicit cv and another value.  Notice the problem goes back even further and happens twice for this extension.  So assuming that this problem matches with the asn rules then can we say that we encode, for size only, the content of an explicit contenxt value as a collection when the element size doesn’t match the first size.   

So encode is

            checkValueSize against next item and set value to collection if necessary, then decode until size is reached.

And decode is

            If value is collection then encode items in collection and then set size from encoded values.

I still want to check the docs but I’m guessing that I just missed this possibility. 

Since the ECV is just a wrapper for the tag number, (and your isPrimitive flag), would this cause any other problems?


_______________________________________________
Cryptography mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/cryptography
Reply | Threaded
Open this post in threaded view
|

Re: Debugging SSL on Linux

Rob Withers

On Mar 20, 2007, at 6:22 PM, Robert Withers wrote:

> I'll post to the ASN1 list...

Well, I couldn't subscribe to the asn1 list, so I've posted it to the  
TLS list instead, in the hopes that someone will have an idea there.

Rob
_______________________________________________
Cryptography mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/cryptography
Reply | Threaded
Open this post in threaded view
|

Re: Debugging SSL on Linux

Rob Withers
In reply to this post by Ron Teitelbaum
That's great Norbert.  Could you also test with:

ASN.27
SSL.111
X509.33

I fixed a bug and turned off a feature that were causing problems.  I  
have been unable to connect to your server in all cases.

thanks,
Robert

On Mar 21, 2007, at 1:23 AM, Norbert Hartl wrote:

> On Tue, 2007-03-20 at 15:25 -0700, Robert Withers wrote:
>> Hey Ron,
>>
>>
>> You are back on the SSL version.  The latest is SSL.111.  You are
>> missing all of the Certificate validation code that I put in and this
>> is why you are able to connect, since all of the problems in this  
>> case
>> are with validation.  Since you have the latest X509, you are  
>> decoding
>> the CertificateExtensions, which would expose problems 2 and 3, but
>> you aren't encoding them for signature validation, per the above
>> reason, so you never have a problem.
>>
>>
>> Norbert, if you load SSL.109 it should work, while we get this issue
>> fixed.  This is just missing a lot of security.
>>
>>
> Yes, with 109 I can connect to my server and retrieve a document.
>
> Thanks very much,
>
> Norbert
>

_______________________________________________
Cryptography mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/cryptography
Reply | Threaded
Open this post in threaded view
|

RE: Debugging SSL on Linux

Ron Teitelbaum
In reply to this post by Rob Withers

Rob,

 

I think what we have is a

 

3.2 Constructed, definite-length method

This method applies to simple string types, structured types, types derived

simple string types and structured types by implicit tagging, and types derived

from anything by explicit tagging. It requires that the length of the value be

known in advance. The parts of the BER encoding are as follows:

Identifier octets. As described in Section 3.1, except that bit 6 has value "1,"

indicating that the encoding is constructed.

 

 

The value 160 (1 in bit 6) should be considered a Constructed, Definite-length field.  I’m still researching it but it would seem to me that this is how you define a user object within a value.  Instead of having a primitive data type within an explicit context value you have a constructed data type (in our world an object with ivars).

 

I’m still reading but I think that we may be able to replace 160 with ASN1ExplicitContextValueConstructed that has a definite length and holds the values in a sequence.  Do you have the actual ANS.1 definition for this extension?  I’d be interested if it says that it’s explicit constructed.

 

Ron

 

 


From: [hidden email] [mailto:[hidden email]] On Behalf Of Robert Withers
Sent: Tuesday, March 20, 2007 9:22 PM
To: [hidden email]
Cc: 'Cryptography Team Development List'; 'Norbert Hartl'
Subject: Re: [Cryptography Team] Debugging SSL on Linux

 

Ron,

 

I just want to reiterate that by not preserving the original bytes when decoding, we are forced to re-encode to check signatures.  With that comment out of the way...

 

First, I turned off CertificateExtension decoding and republished, so the latest code should now work.  I couldn't get it to work...

 

Second, this is long in the tooth...  

 

I am referring to the ASN1 book by Olivier Dubuisson, which you had referred me to at one point so I think you have access to this pdf.

 

Per Figure 18.2 on page 396, we are using the ASN1ExplicitContextValue to wrap APPLICATION {01cttttt}, Context-specific {10cttttt} and PRIVATE {11cttttt} values - tags 6 and 7.  They can be Primitive (Implicit) or Constructed (Explicit) - tag 5.  This specific example is using Explicit Context-specific [0] (see page 409, section 18.2.16 Tagged value, where the value of the Explicit triplet is itself one triplet).

 

Now, this section just named refers to page 216, which is the chapter on Constructed values.  I just scanned it and it seems necessary to define structures as a SEQUENCE, with no "implicit" structures - i.e. they don't seem to define a Context-specific type that can hold more than one Triplet without embedding it in a SEQUENCE.

 

So, here is the type definition for an Extension:

 

Extension         ::=   SEQUENCE {

   extnId            EXTENSION.&id ({ExtensionSet}),

   critical          BOOLEAN DEFAULT FALSE,

   extnValue         OCTET STRING }

                -- contains a DER encoding of a value of type

 

and the problem we are having is by trying to DER decode the extnValue field.  Here is the full data for that field, both raw and parsed with hex values:

 

#(48 50 130 16 104 111 109 101 46 115 101 108 102 105 115 104 46 111 114 103 160 30 6 8 43 6 1 5 5 7 8 5 160 18 12 16 104 111 109 101 46 115 101 108 102 105 115 104 46 111 114 103) asByteArray

 

 

SEQUENCE = T(30) L(32) V(

          Implicit [2] = T(82) L(10) V(68 6F 6D 65 2E 73 65 6C 66 69 73 68 2E 6F 72 67)

          Explicit [0] = T(A0) L(1E) V(

                      OID = T(06) L(08) V(2B 06 01 05 05 07 08 05)

                      Explicit [0] = T(A0) L(12) V(

                                  String = T(0C) L(10) V(68 6F 6D 65 2E 73 65 6C 66 69 73 68 2E 6F 72 67))))

 

The outer is a SEQUENCE and is ok.  Inside, at the value of the first Explicit [0] Triplet, it is not a SEQUENCE, but it has 2 Triplets inside of it.  Looking at its Length (1E), it thinks it should be holding both Triplets.

 

The code is only grabbing the first Triplet when decoding an Explicit [0], and then the outer Sequence is decoding the second inner Triplet, so I actually get:

 

Sequence (

          Implicit [2]

          Explicit [0] (OID)

          Explicit [0] (String))

 

instead of:

 

Sequence (

          Implicit [2]

          Explicit [0] (

                      OID

                      Explicit [0]))

 

the corresponding length is messed up when I re-encode it.

 

That's funny, as we agree.  I'll post to the ASN1 list...

 

later,

Rob

 

On Mar 20, 2007, at 4:30 PM, Ron Teitelbaum wrote:



So it’s an explicit cv holding onto an explicit cv and another value.  Notice the problem goes back even further and happens twice for this extension.  So assuming that this problem matches with the asn rules then can we say that we encode, for size only, the content of an explicit contenxt value as a collection when the element size doesn’t match the first size.   

So encode is

            checkValueSize against next item and set value to collection if necessary, then decode until size is reached.

And decode is

            If value is collection then encode items in collection and then set size from encoded values.

I still want to check the docs but I’m guessing that I just missed this possibility. 

Since the ECV is just a wrapper for the tag number, (and your isPrimitive flag), would this cause any other problems?


_______________________________________________
Cryptography mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/cryptography
Reply | Threaded
Open this post in threaded view
|

RE: Debugging SSL on Linux

Ron Teitelbaum

Rob,

http://www.columbia.edu/~ariel/ssleay/layman.html

6.2.4 RelativeDistinguishedName

The three RelativeDistinguishedName values are SET OF values, so their DER encodings follow the constructed, definite-length method:

31 0b
   30 09 ... 55 53
 
31 1d
   30 1b ... 6f 6e
 
31 14
   30 12 ... 20 31

The identifier octets follow the low-tag-number form, since the tag for SET OF, 17 (decimal), is between 0 and 30. Bits 8 and 7 have value "0" since SET OF is in the universal class Bit 6 has value "1" since the encoding is constructed. The lengths octets follow the short form, and the contents octets are the DER encodings of the respective AttributeValueAssertion values, since there is only one value in each set.

What do you think?  Does changing 160 to ANS1ExplicitContextValueConstructed fix things?  I suppose that we could also, if it makes sense, extend the ECV functionality to include handling multiple values if bit 6 = 1 and eliminate some duplication of code (i.e. isPrimitive, but does isPrimitive make sense for ECVC?)

 

Ron

 


From: [hidden email] [mailto:[hidden email]] On Behalf Of Ron Teitelbaum
Sent: Wednesday, March 21, 2007 12:59 PM
To: 'Cryptography Team Development List'; 'Robert Withers'
Subject: RE: [Cryptography Team] Debugging SSL on Linux

 

Rob,

 

I think what we have is a

 

3.2 Constructed, definite-length method

This method applies to simple string types, structured types, types derived

simple string types and structured types by implicit tagging, and types derived

from anything by explicit tagging. It requires that the length of the value be

known in advance. The parts of the BER encoding are as follows:

Identifier octets. As described in Section 3.1, except that bit 6 has value "1,"

indicating that the encoding is constructed.

 

 

The value 160 (1 in bit 6) should be considered a Constructed, Definite-length field.  I’m still researching it but it would seem to me that this is how you define a user object within a value.  Instead of having a primitive data type within an explicit context value you have a constructed data type (in our world an object with ivars).

 

I’m still reading but I think that we may be able to replace 160 with ASN1ExplicitContextValueConstructed that has a definite length and holds the values in a sequence.  Do you have the actual ANS.1 definition for this extension?  I’d be interested if it says that it’s explicit constructed.

 

Ron

 

 


From: [hidden email] [mailto:[hidden email]] On Behalf Of Robert Withers
Sent: Tuesday, March 20, 2007 9:22 PM
To: [hidden email]
Cc: 'Cryptography Team Development List'; 'Norbert Hartl'
Subject: Re: [Cryptography Team] Debugging SSL on Linux

 

Ron,

 

I just want to reiterate that by not preserving the original bytes when decoding, we are forced to re-encode to check signatures.  With that comment out of the way...

 

First, I turned off CertificateExtension decoding and republished, so the latest code should now work.  I couldn't get it to work...

 

Second, this is long in the tooth...  

 

I am referring to the ASN1 book by Olivier Dubuisson, which you had referred me to at one point so I think you have access to this pdf.

 

Per Figure 18.2 on page 396, we are using the ASN1ExplicitContextValue to wrap APPLICATION {01cttttt}, Context-specific {10cttttt} and PRIVATE {11cttttt} values - tags 6 and 7.  They can be Primitive (Implicit) or Constructed (Explicit) - tag 5.  This specific example is using Explicit Context-specific [0] (see page 409, section 18.2.16 Tagged value, where the value of the Explicit triplet is itself one triplet).

 

Now, this section just named refers to page 216, which is the chapter on Constructed values.  I just scanned it and it seems necessary to define structures as a SEQUENCE, with no "implicit" structures - i.e. they don't seem to define a Context-specific type that can hold more than one Triplet without embedding it in a SEQUENCE.

 

So, here is the type definition for an Extension:

 

Extension         ::=   SEQUENCE {

   extnId            EXTENSION.&id ({ExtensionSet}),

   critical          BOOLEAN DEFAULT FALSE,

   extnValue         OCTET STRING }

                -- contains a DER encoding of a value of type

 

and the problem we are having is by trying to DER decode the extnValue field.  Here is the full data for that field, both raw and parsed with hex values:

 

#(48 50 130 16 104 111 109 101 46 115 101 108 102 105 115 104 46 111 114 103 160 30 6 8 43 6 1 5 5 7 8 5 160 18 12 16 104 111 109 101 46 115 101 108 102 105 115 104 46 111 114 103) asByteArray

 

 

SEQUENCE = T(30) L(32) V(

          Implicit [2] = T(82) L(10) V(68 6F 6D 65 2E 73 65 6C 66 69 73 68 2E 6F 72 67)

          Explicit [0] = T(A0) L(1E) V(

                      OID = T(06) L(08) V(2B 06 01 05 05 07 08 05)

                      Explicit [0] = T(A0) L(12) V(

                                  String = T(0C) L(10) V(68 6F 6D 65 2E 73 65 6C 66 69 73 68 2E 6F 72 67))))

 

The outer is a SEQUENCE and is ok.  Inside, at the value of the first Explicit [0] Triplet, it is not a SEQUENCE, but it has 2 Triplets inside of it.  Looking at its Length (1E), it thinks it should be holding both Triplets.

 

The code is only grabbing the first Triplet when decoding an Explicit [0], and then the outer Sequence is decoding the second inner Triplet, so I actually get:

 

Sequence (

          Implicit [2]

          Explicit [0] (OID)

          Explicit [0] (String))

 

instead of:

 

Sequence (

          Implicit [2]

          Explicit [0] (

                      OID

                      Explicit [0]))

 

the corresponding length is messed up when I re-encode it.

 

That's funny, as we agree.  I'll post to the ASN1 list...

 

later,

Rob

 

On Mar 20, 2007, at 4:30 PM, Ron Teitelbaum wrote:

 

So it’s an explicit cv holding onto an explicit cv and another value.  Notice the problem goes back even further and happens twice for this extension.  So assuming that this problem matches with the asn rules then can we say that we encode, for size only, the content of an explicit contenxt value as a collection when the element size doesn’t match the first size.   

So encode is

            checkValueSize against next item and set value to collection if necessary, then decode until size is reached.

And decode is

            If value is collection then encode items in collection and then set size from encoded values.

I still want to check the docs but I’m guessing that I just missed this possibility. 

Since the ECV is just a wrapper for the tag number, (and your isPrimitive flag), would this cause any other problems?


_______________________________________________
Cryptography mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/cryptography
Reply | Threaded
Open this post in threaded view
|

Re: Debugging SSL on Linux

Rob Withers
In reply to this post by Ron Teitelbaum

On Mar 21, 2007, at 10:15 AM, Ron Teitelbaum wrote:

What do you think?  Does changing 160 to ANS1ExplicitContextValueConstructed fix things?  I suppose that we could also, if it makes sense, extend the ECV functionality to include handling multiple values if bit 6 = 1 and eliminate some duplication of code (i.e. isPrimitive, but does isPrimitive make sense for ECVC?)


I am trying to find out the intersection of Explicit/Implicit and Primitive/Constructed.  I think what I am learning is that the Primitive/Constructed is represented in the tag of a Triplet, but the Explicit/Implicit is a property of the Type Module defining user types.  We don't have any representation of that, since we are wrapping it all in an ASN1ExplicitContextValue.

I am still wrapping both Primitive and Constructed, but I took you advice and allowed Constructed types to have more than one value - i.e. an Implicit Sequence

We really need to do what you were working on it seems with your ASN1DefinitionModel.  We need to be able to provide the Type definition to the parser, which is just the #fromAsnDer: method, and allow the BER to be mapped to user classes.  Big job.

Rob



_______________________________________________
Cryptography mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/cryptography
Reply | Threaded
Open this post in threaded view
|

Re: Debugging SSL on Linux

Rob Withers
In reply to this post by Ron Teitelbaum

On Mar 21, 2007, at 9:59 AM, Ron Teitelbaum wrote:

Rob,

 

I think what we have is a

 

3.2 Constructed, definite-length method
This method applies to simple string types, structured types, types derived
simple string types and structured types by implicit tagging, and types derived
from anything by explicit tagging. It requires that the length of the value be
known in advance. The parts of the BER encoding are as follows:
Identifier octets. As described in Section 3.1, except that bit 6 has value "1,"
indicating that the encoding is constructed.

It turns out to be Implicit, which means you don't have the value encoded with explicit tags.  The definition specifies the type, in this case a Sequence. 

 The value 160 (1 in bit 6) should be considered a Constructed, Definite-length field.  I’m still researching it but it would seem to me that this is how you define a user object within a value.  Instead of having a primitive data type within an explicit context value you have a constructed data type (in our world an object with ivars).

It is constructed because it is not a simple "primitive" type.

 I’m still reading but I think that we may be able to replace 160 with ASN1ExplicitContextValueConstructed that has a definite length and holds the values in a sequence.  Do you have the actual ANS.1 definition for this extension?  I’d be interested if it says that it’s explicit constructed.

It's Implicit constructed.  Here is the definition:

-- subject alternative name extension OID and syntax

id-ce-subjectAltName OBJECT IDENTIFIER ::=  { id-ce 17 }

SubjectAltName ::= GeneralNames

GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName

GeneralName ::= CHOICE {
     otherName                       [0]     AnotherName,
     rfc822Name                      [1]     IA5String,
     dNSName                         [2]     IA5String,
     x400Address                     [3]     ORAddress,
     directoryName                   [4]     Name,
     ediPartyName                    [5]     EDIPartyName,
     uniformResourceIdentifier       [6]     IA5String,
     iPAddress                       [7]     OCTET STRING,
     registeredID                    [8]     OBJECT IDENTIFIER }

-- AnotherName replaces OTHER-NAME ::= TYPE-IDENTIFIER, as
-- TYPE-IDENTIFIER is not supported in the '88 ASN.1 syntax

AnotherName ::= SEQUENCE {
     type-id    OBJECT IDENTIFIER,
     value      [0] EXPLICIT ANY DEFINED BY type-id }

EDIPartyName ::= SEQUENCE {
     nameAssigner            [0]     DirectoryString OPTIONAL,
     partyName               [1]     DirectoryString }

and my bytes specify:

Sequence {
dNSName [2]  IA5String,
otherName [0] AnotherName}

where AnotherName is an Implicit sequence.

Rob


_______________________________________________
Cryptography mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/cryptography
Reply | Threaded
Open this post in threaded view
|

RE: Debugging SSL on Linux

Ron Teitelbaum
In reply to this post by Rob Withers

Rob,

 

I need to digest all this and read up some more.  I’m still suck on the bit 6.  Doesn’t the 1 in bit 6 mean that we have a constructed value?  Which I translate to mean an object with ivars.  

 

I read your other emails and I think I’m catching onto the issues.  I’m not sure I understand what combinations are possible.

 

Primitive means single data element  (i.e. String)

Constructed means multiples (i.e. SomeObject).

 

Explicit means field name comes from ANS definition.

Implicit means field name comes from data?

 

Although I’m not sure.  Like I said I need to read up some more.

 

The definition parser is really not that complicated.  It is almost done, I was hoping to add pragmas onto objects to allow reading and writing to asn from the metadata on the ivars.  This would tie the definition to the object model.  Problem is having enough time to finish it. 

 

Ron

 

 


From: [hidden email] [mailto:[hidden email]] On Behalf Of Robert Withers
Sent: Wednesday, March 21, 2007 4:27 PM
To: [hidden email]
Subject: Re: [Cryptography Team] Debugging SSL on Linux

 

 

On Mar 21, 2007, at 10:15 AM, Ron Teitelbaum wrote:



What do you think? Does changing 160 to ANS1ExplicitContextValueConstructed fix things? I suppose that we could also, if it makes sense, extend the ECV functionality to include handling multiple values if bit 6 = 1 and eliminate some duplication of code (i.e. isPrimitive, but does isPrimitive make sense for ECVC?)

 

I am trying to find out the intersection of Explicit/Implicit and Primitive/Constructed. I think what I am learning is that the Primitive/Constructed is represented in the tag of a Triplet, but the Explicit/Implicit is a property of the Type Module defining user types. We don't have any representation of that, since we are wrapping it all in an ASN1ExplicitContextValue.

 

I am still wrapping both Primitive and Constructed, but I took you advice and allowed Constructed types to have more than one value - i.e. an Implicit Sequence

 

We really need to do what you were working on it seems with your ASN1DefinitionModel. We need to be able to provide the Type definition to the parser, which is just the #fromAsnDer: method, and allow the BER to be mapped to user classes. Big job.

 

Rob

 


_______________________________________________
Cryptography mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/cryptography
Reply | Threaded
Open this post in threaded view
|

Re: Debugging SSL on Linux

Rob Withers
Ron,

This is all very complicated and some careful thought needs to be given on how to proceed.  The good news is that by turning off the decoding of CertificateExtensions, everything works as it stands.  To take the next steps and really implement ASN.1, we need to handle Explicit and Implicit tagging of user defined Types.

I was glad you picked a point and restarted the conversation.  What follows is more of the mess...

On Mar 21, 2007, at 5:04 PM, Ron Teitelbaum wrote:

I need to digest all this and read up some more.  I’m still suck on the bit 6.  Doesn’t the 1 in bit 6 mean that we have a constructed value?  Which I translate to mean an object with ivars.  

Bit 6 being constructed does not mean that it is an object with ivars.  BER encoding allows primitive types to be constructed.  DER encoding prevents this, but there are other Explicit types which can be constructed that are not objects with ivars.

I played around with VW this afternoon an the way they model a user defined type is shown as an example which defines the Type #TBSCertificate:

( x509Module SEQUENCE: #TBSCertificate )
addElement: #version type: #Version tag: 0 tagging: #explicit default: 0;
addElement: #serialNumber type: #CertificateSerialNumber;
addElement: #signature type: #AlgorithmIdentifier;
addElement: #issuer type: #Name;
addElement: #validity type: #Validity;
addElement: #subject type: #Name;
addElement: #subjectPublicKeyInfo type: #SubjectPublicKeyInfo;
addOptionalElement: #issuerUniqueID type: #UniqueIdentifier tag: 1 tagging: #implicit;
addOptionalElement: #subjectUniqueID type: #UniqueIdentifier tag: 2 tagging: #implicit;
addOptionalElement: #extensions type: #Extensions tag: 3 tagging: #explicit;
mapping: TBSCertificate;
retainEncoding: true.

The DERStream then uses this type to unpack the values and map them to TBSCertificate.  Notice the 3 OptionaElements.  2 are Implicit and 1 is Explicit.  This has to do with how the tagging shakes out.  

The first Implicit type hides the type tag of the underlying UniqueIdentifier with the Implicit [1], so there is no tag explicitly for the UniqueIdentifier.  The Type definition knows this, which we re missing in our implementation.
{10000001} [length octet] [UniqueIdentifier value]

The Explicit type does not hide the underlying type tag, and it doesn't have to be sequence.
{10100011} [length octet] [{00110000} [length octet] [Extension values]]



In the original case I brought up, there is an Implicit constructed Sequence, which was tagged:
{10100000} [length octet] [Sequence values] 


Primitive means single data element  (i.e. String)

Constructed means multiples (i.e. SomeObject).

This is not necessarily true.  Your original posting pointed it out:
 3.2 Constructed, definite-length method
This method applies to simple string types, structured types, types derived
simple string types and structured types by implicit tagging, and types derived
from anything by explicit tagging. It requires that the length of the value be
known in advance. The parts of the BER encoding are as follows:
Identifier octets. As described in Section 3.1, except that bit 6 has value "1,"
indicating that the encoding is constructed.

It can be "simple string types, ..., types derived from anything by explicit tagging".  In BER encoding, you can encode an IA5String with the constructed type:
36 13
   16 05 74 65 73 74 31
   16 01 40
   16 07 72 73 61 2e 63 6f 6d
constructed encoding: "test1" + "@" + "rsa.com"
In DER encoding it has to be primitive, however.

 Explicit means field name comes from ANS definition.

Implicit means field name comes from data?

Explicit means it wraps a full Triplet [Explicit tag] [length1] [Underlying tag] [length2] [value].  Implicit retags the underlying Triplet [Implicit tag] [length] [value]

Both come from the type definition and that is what is needed to know how to decode/encode these structures.

 Although I’m not sure.  Like I said I need to read up some more.

I got a lot of this from the doc you are using "A Layman's Guide to a Subset of ASN.1,. BER, and DER"

 The definition parser is really not that complicated.  It is almost done, I was hoping to add pragmas onto objects to allow reading and writing to asn from the metadata on the ivars.  This would tie the definition to the object model.  Problem is having enough time to finish it. 

I personally don't like pragmas.  I prefer to use a Type-MetaType pattern and have the Type instance separate from the associated class.  Whether this Type (the MetaType) comes from a Smalltalk construction, like the VW example, or comes out of an ASN.1 Definition Parser is a wash.  The goal is the execution environment of the decoding will be a stream with a Type to interpret the tags and values.  Unless I am missing something.  In honesty, I don't know what you have done.

Lot's to chew on,
Robert


_______________________________________________
Cryptography mailing list
[hidden email]
http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/cryptography