Signature verification failures when using a certificate chain

[aerofeev2k]

Hi,

I'm unable to set up a TLS connection using certificate chain generated with falcon1024 (and other PQ algorithms too for that matter), OpenSSL is throwing a signature verification error on the connecting side:

(/build/oqsprovider/oqsprov/oqs_sig.c:438)error:06880006:asn1 encoding routines::EVP lib: (crypto/asn1/a_verify.c:216)error:0A000086:SSL routines::certificate verify failed: (ssl/statem/statem_clnt.c:2091)

Signature verification callback says that the certificate at depth 1, i.e. self-signed CA certificate, was verified OK, but the next certificate at depth 0, i.e. the one that was signed with the CA certificate, failed to verify.

I then went through the OpenSSL code and realized that by default it doesn't even check signatures on self-signed certs, to save CPU cycles. Checked oqs_test_tlssig.c that ships with oqs-provider, and found that it's only doing tests with a single self-signed certificate. OpenSSL doesn't do any certificate signature verifications in this case, and so if there's a problem, the test likely doesn't catch it. Finally I added a quick X509_self_signed(x509, 1) call to create_cert_key() in tlstest_helpers.c, and that gave me 0 back, meaning that the freshly generated self-signed certificate failed to verify.

My code works with "RSA" in place of "falcon1024", i.e. OpenSSL can verify signatures on both certificates in the chain, and TLS connection gets established successfully. test_oqs_tlssig("RSA") also produces a certificate, for which X509_self_signed(x509, 1) retuns 1, as it should.

Being new to Falcon, Sphincs, etc, I may be doing something terribly wrong here, but still would like to ask: has anybody tried opening TLS connections with a basic certificate chain? Any tricks in making it work?

This is openssl-3.2.1, liboqs-0.9.2 and oqsprovider-0.5.3.

Thanks!

[baentsch]

has anybody tried opening TLS connections with a basic certificate chain?

Yes, please check out https://test.openquantumsafe.org whether that does what you want to achieve. Otherwise, please provide code (bug-reproducing PR would be ideal) to explain the problem (and eventually test a possible fix).

[aerofeev2k]

X509_self_signed(x509, 1) plugged into create_cert_key() shows an immediate signature verification error. It should return 1 (as it does for RSA), but returns 0 for every PQ method.

Here's the diff for the plug. I had to add a one-liner to test_common.c as well because w/o it oqs_test_tlssig wasn't even doing anything.

diff --git a/test/test_common.c b/test/test_common.c
index 19382c9..550e819 100644
--- a/test/test_common.c
+++ b/test/test_common.c
@@ -62,6 +62,7 @@ void load_oqs_provider(OSSL_LIB_CTX *libctx, const char *modulename,                        
     (void)configfile;
     T(OSSL_PROVIDER_add_builtin(libctx, modulename,
                                 OQS_PROVIDER_ENTRYPOINT_NAME));
+    T(OSSL_PROVIDER_load(libctx, modulename));
     T(OSSL_PROVIDER_load(libctx, "default"));
 }

diff --git a/test/tlstest_helpers.c b/test/tlstest_helpers.c
index c249088..70e8606 100644
--- a/test/tlstest_helpers.c
+++ b/test/tlstest_helpers.c
@@ -34,6 +34,8 @@ int create_cert_key(OSSL_LIB_CTX *libctx, char *algname, char *certfilename,                
         || !(certbio = BIO_new_file(certfilename, "wb"))
         || !PEM_write_bio_X509(certbio, x509))
         ret = 0;
+   
+   printf("X509_self_signed(%s)=%d\n", algname, X509_self_signed(x509, 1));

     EVP_PKEY_free(pkey);
     X509_free(x509);

Here's the stack where it fails. Same place (oqs_sig.c:438) where it fails on the client when verifying server certificate that was signed by a PQ CA certificate:

#0  oqs_sig_verify (vpoqs_sigctx=0xb24db0, sig=0xb22c50 "\265\237\211.\022M\016\360\207\263NM~\250\063\002^K\362\245=\255", siglen=2420, 
    tbs=0xb2d940 "0\202\005\326\002\001\001\060\r\006\v+\006\001\004\001\002\202\v\a\004\004\060\064\061\v0\t\006\003U\004\006\023\002CH1\021\060\017\006\003U\004\n\023\btest.org1\022\060\020\006\003U\004\003\023\tlocalhost0\036\027\r240304192641Z\027\r250304192641Z041\v0\t\006\003U\004\006\023\002CH1\021\060\017\006\003U\004\n\023\btest.org1\022\060\020\006\003U\004\003\023\tlocalhost0\202\005\064\060\r\006\v+\006\001\004\001\002\202\v\a\004\004\003\202\005!", tbslen=1498)
    at /build/oqsprovider/oqsprov/oqs_sig.c:438
#1  0x00000000008317ec in oqs_sig_digest_verify_final (vpoqs_sigctx=0xb24db0, sig=0xb22c50 "\265\237\211.\022M\016\360\207\263NM~\250\063\002^K\362\245=\255", siglen=2420)
    at /build/oqsprovider/oqsprov/oqs_sig.c:598
#2  0x00000000005e419f in EVP_DigestVerifyFinal (ctx=0xb2d300, sig=0xb22c50 "\265\237\211.\022M\016\360\207\263NM~\250\063\002^K\362\245=\255", siglen=2420) at crypto/evp/m_sigver.c:638
#3  0x00000000005e45b5 in EVP_DigestVerify (ctx=0xb2d300, sigret=0xb22c50 "\265\237\211.\022M\016\360\207\263NM~\250\063\002^K\362\245=\255", siglen=2420, 
    tbs=0xb247c0 "0\202\005\326\002\001\001\060\r\006\v+\006\001\004\001\002\202\v\a\004\004\060\064\061\v0\t\006\003U\004\006\023\002CH1\021\060\017\006\003U\004\n\023\btest.org1\022\060\020\006\003U\004\003\023\tlocalhost0\036\027\r240304192641Z\027\r250304192641Z041\v0\t\006\003U\004\006\023\002CH1\021\060\017\006\003U\004\n\023\btest.org1\022\060\020\006\003U\004\003\023\tlocalhost0\202\005\064\060\r\006\v+\006\001\004\001\002\202\v\a\004\004\003\202\005!", tbslen=1498) at crypto/evp/m_sigver.c:716
#4  0x0000000000561491 in ASN1_item_verify_ctx (it=0xa2abe0 <local_it>, alg=0xacbb98, signature=0xacbba8, data=0xacbb10, ctx=0xb2d300) at crypto/asn1/a_verify.c:213
#5  0x0000000000560f2e in ASN1_item_verify_ex (it=0xa2abe0 <local_it>, alg=0xacbb98, signature=0xacbba8, data=0xacbb10, id=0x0, pkey=0xacbee0, libctx=0x0, propq=0x0) at crypto/asn1/a_verify.c:103
#6  0x00000000004f4b06 in X509_verify (a=0xacbb10, r=0xacbee0) at crypto/x509/x_all.c:36
#7  0x00000000004e234e in X509_self_signed (cert=0xacbb10, verify_signature=1) at crypto/x509/x509_vfy.c:112
#8  0x0000000000483bc8 in create_cert_key (libctx=0xa9d2a0, algname=0xab79d0 "dilithium2", certfilename=0x7fffffffdf70 "/tmp/certs/dilithium2_srv.crt", privkeyfilename=0x7fffffffde40 "/tmp/certs/dilithium2_srv.key")
    at /build/oqsprovider/test/tlstest_helpers.c:38
#9  0x0000000000483263 in test_oqs_tlssig (sig_name=0xab79d0 "dilithium2") at /build/oqsprovider/test/oqs_test_tlssig.c:51
#10 0x00000000004833ff in test_signature (params=0xa59a20 <oqs_param_sigalg_list>, data=0x7fffffffe2c8) at /build/oqsprovider/test/oqs_test_tlssig.c:115
#11 0x000000000082a043 in oqs_sigalg_capability (cb=0x48336d <test_signature>, arg=0x7fffffffe2c8) at /build/oqsprovider/oqsprov/oqsprov_capabilities.c:545
#12 0x000000000082a0cf in oqs_provider_get_capabilities (provctx=0xab7250, capability=0x8f819c "TLS-SIGALG", cb=0x48336d <test_signature>, arg=0x7fffffffe2c8)
    at /build/oqsprovider/oqsprov/oqsprov_capabilities.c:561
#13 0x00000000004c34f4 in ossl_provider_get_capabilities (prov=0xa9f890, capability=0x8f819c "TLS-SIGALG", cb=0x48336d <test_signature>, arg=0x7fffffffe2c8) at crypto/provider_core.c:1652
#14 0x00000000004bee57 in OSSL_PROVIDER_get_capabilities (prov=0xa9f890, capability=0x8f819c "TLS-SIGALG", cb=0x48336d <test_signature>, arg=0x7fffffffe2c8) at crypto/provider.c:123
#15 0x00000000004834e7 in test_provider_signatures (provider=0xa9f890, vctx=0x7fffffffe2c8) at /build/oqsprovider/test/oqs_test_tlssig.c:141
#16 0x00000000004c30b8 in ossl_provider_doall_activated (ctx=0xa9d2a0, cb=0x48348f <test_provider_signatures>, cbdata=0x7fffffffe2c8) at crypto/provider_core.c:1483
#17 0x00000000004bef78 in OSSL_PROVIDER_do_all (ctx=0xa9d2a0, cb=0x48348f <test_provider_signatures>, cbdata=0x7fffffffe2c8) at crypto/provider.c:157
#18 0x000000000048362a in main (argc=4, argv=0x7fffffffe3c8) at /build/oqsprovider/test/oqs_test_tlssig.c:172

[aerofeev2k]

Maybe instead of passing the actual tbs and tbslen==1498 here it should first compute a digest and pass the digest's 20 bytes for verification, like it did when calling OQS_SIG_sign() at the time of signing?

oqs-provider/oqsprov/oqs_sig.c

Lines 434 to 441 in fdc65c7

	if (OQS_SIG_verify(oqs_key, tbs, tbslen, sig + index,
	siglen - classical_sig_len,
	oqsxkey->comp_pubkey[oqsxkey->numkeys - 1])
	!= OQS_SUCCESS) {
	ERR_raise(ERR_LIB_USER, OQSPROV_R_VERIFY_ERROR);
	goto endverify;
	}
	rv = 1;

[aerofeev2k]

Ahaha, scratch all of that.

This is wrong:

diff --git a/test/tlstest_helpers.c b/test/tlstest_helpers.c
index c249088..c267d69 100644
--- a/test/tlstest_helpers.c
+++ b/test/tlstest_helpers.c
@@ -28,7 +28,7 @@ int create_cert_key(OSSL_LIB_CTX *libctx, char *algname, char *certfilename,                
         || !X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_ASC,
                                        (unsigned char *)"localhost", -1, -1, 0)
         || !X509_set_issuer_name(x509, name)
-        || !X509_sign(x509, pkey, EVP_sha1())
+        || !X509_sign(x509, pkey, NULL)
         || !(keybio = BIO_new_file(privkeyfilename, "wb"))
         || !PEM_write_bio_PrivateKey(keybio, pkey, NULL, NULL, 0, NULL, NULL)
         || !(certbio = BIO_new_file(certfilename, "wb"))

It's passing EVP_sha1() to X509_sign(), which makes this code pass the SHA1 digest to oqs_sig_sign():

oqs-provider/oqsprov/oqs_sig.c

Lines 570 to 576 in fdc65c7

	if (poqs_sigctx->mdctx != NULL)
	return oqs_sig_sign(vpoqs_sigctx, sig, siglen, sigsize, digest,
	(size_t)dlen);
	else
	return oqs_sig_sign(vpoqs_sigctx, sig, siglen, sigsize,
	poqs_sigctx->mddata, poqs_sigctx->mdsize);
	}

The verification code on the contrary doesn't compute any digest before calling OQS_SIG_verify(), and so the verification then fails.

I was following examples in your tests, got the same incorrectly signed certificates, and so TLS was failing. Now it's all good.

[baentsch]

Now it's all good.

Sounds good, but as you didn't close the discussion, I'm confused, though: Are you saying you created a wrong test (setup) that then rightfully failed (not warranting any action in OQS) or are you saying we have an incorrect test setup (that warrants a fix)?

[aerofeev2k]

You do have some problems with the tests.

E.g. without this change oqs_test_tlssig doesn't run any tests and just outputs "Test passed" message in static link mode:

diff --git a/test/test_common.c b/test/test_common.c
index 19382c9..550e819 100644
--- a/test/test_common.c
+++ b/test/test_common.c
@@ -62,6 +62,7 @@ void load_oqs_provider(OSSL_LIB_CTX *libctx, const char *modulename,                        
     (void)configfile;
     T(OSSL_PROVIDER_add_builtin(libctx, modulename,
                                 OQS_PROVIDER_ENTRYPOINT_NAME));
+    T(OSSL_PROVIDER_load(libctx, modulename));
     T(OSSL_PROVIDER_load(libctx, "default"));
 }

Here you're creating incorrectly signed certificates:

diff --git a/test/tlstest_helpers.c b/test/tlstest_helpers.c
index c249088..c267d69 100644
--- a/test/tlstest_helpers.c
+++ b/test/tlstest_helpers.c
@@ -28,7 +28,7 @@ int create_cert_key(OSSL_LIB_CTX *libctx, char *algname, char *certfilename,                
         || !X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_ASC,
                                        (unsigned char *)"localhost", -1, -1, 0)
         || !X509_set_issuer_name(x509, name)
-        || !X509_sign(x509, pkey, EVP_sha1())
+        || !X509_sign(x509, pkey, NULL)
         || !(keybio = BIO_new_file(privkeyfilename, "wb"))
         || !PEM_write_bio_PrivateKey(keybio, pkey, NULL, NULL, 0, NULL, NULL)
         || !(certbio = BIO_new_file(certfilename, "wb"))

And the TLS setup test could benefit from using a chain of two certificates. With just one self-signed certificate in the chain you're not verifying signatures on the certificates at all, and so the above EVP_sha1() went unnoticed.

[baentsch]

E.g. without this change oqs_test_tlssig doesn't run any tests and just outputs "Test passed" message in static link mode:

Thanks for the report, @aerofeev2k . Very correct observation and a true bug. Created #367 to fix.

And the TLS setup test could benefit from using a chain of two certificates.

The OpenSSL command line level tests here and here cater for that (as well as testing that higher abstraction layer) -- admittedly only for a dynamically linked oqsprovider. Another PR very welcome if you feel additional testing for static builds is warranted and can spare the time to contribute.