P-384 and ecdsa-with-SHA512: is it allowed?

[Corey Bonnell]

Hello,
Section 5.1 of the Mozilla Root Store Policy (https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/) specifies the allowed set of key and signature algorithms for roots and certificates that chain to roots in the Mozilla Root Store. Specifically, the following hash algorithms and ECDSA hash/curve pairs are allowed:

• Digest algorithms: SHA-1 (see below), SHA-256, SHA-384, or SHA-512.
• P‐256 with SHA-256
• P‐384 with SHA-384

Given this, if an End-Entity certificate were signed using a subordinate CA’s P-384 key with ecdsa-with-SHA512 as the signature algorithm (which would be reflected in the End-Entity certificate's signatureAlgorithm field), would this violate Mozilla policy? As I understand it, an ECDSA signing operation with a P-384 key using SHA-512 would be equivalent to using SHA-384 (due to the truncation that occurs), so I am unsure if this would violate the specification above (although the signatureAlgorithm field value would be misleading). I believe the same situation exists if a P-256 key is used for a signing operation with SHA-384.

Any insight into whether this is allowed or prohibited would be appreciated.

Thanks,
Corey

[Ryan Sleevi]

I don’t think you can read that policy, as written, and legitimately
interpret it as allowed. It’s literally not listed.


> _______________________________________________
> dev-security-policy mailing list
> dev-secur...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>

[Corey Bonnell]

Thanks, Ryan, for weighing in. I suspected that such certificates would be prohibited but wanted confirmation.

The motivation for my inquiry was that I discovered the following set of unexpired, unrevoked certificates which are signed with a P-384 sub-CA key using the ecdsa-with-SHA512 signature algorithm. Given that this hash/curve pair is not allowed, I believe that these certificates run afoul of Mozilla Root Store Policy:

DigiCert
crt.sh URL(s),notBefore,notAfter,issuer CN,issuer curve,sigAlg
https://crt.sh/?id=252169572 (final),2017-11-08,2020-11-12,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=276033955 (precert); https://crt.sh/?id=498045339 (final),2017-12-11,2019-12-11,DigiCert ECC Extended Validation Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=323384439 (precert),2018-02-05,2019-02-20,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=323318776 (precert),2018-02-05,2019-02-20,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=354276341 (precert),2018-03-13,2020-03-20,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=358905399 (precert),2018-03-18,2019-05-22,DigiCert ECC Extended Validation Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=368911544 (precert),2018-03-28,2020-04-01,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=399193174 (precert); https://crt.sh/?id=402197763 (final),2018-04-16,2020-04-22,DigiCert ECC Extended Validation Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=399645531 (precert),2018-04-17,2020-04-22,DigiCert ECC Extended Validation Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=402216416 (precert),2018-04-18,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=402398690 (precert),2018-04-18,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=402397877 (precert),2018-04-18,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=402398610 (precert),2018-04-18,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=402397769 (precert),2018-04-18,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=402398408 (precert),2018-04-18,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=402396037 (precert),2018-04-18,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=402397885 (precert),2018-04-18,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=402517328 (precert),2018-04-18,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=402217433 (precert),2018-04-18,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=402397974 (precert),2018-04-18,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=402217018 (precert),2018-04-18,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=402397004 (precert),2018-04-18,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=402398058 (precert),2018-04-18,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=402397555 (precert),2018-04-18,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=402397524 (precert),2018-04-18,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=402396808 (precert),2018-04-18,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=402397252 (precert),2018-04-18,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=402397571 (precert),2018-04-18,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=402823673 (precert),2018-04-18,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=402517952 (precert),2018-04-18,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=403151317 (precert),2018-04-18,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=402763940 (precert),2018-04-18,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=402397086 (precert),2018-04-18,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=402518456 (precert),2018-04-18,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=402216558 (precert),2018-04-18,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=402398642 (precert),2018-04-18,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=402517313 (precert),2018-04-18,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=402519003 (precert),2018-04-18,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=402217410 (precert),2018-04-18,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=403149215 (precert),2018-04-18,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=402396723 (precert),2018-04-18,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=402397964 (precert),2018-04-18,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=402216780 (precert),2018-04-18,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=402398667 (precert),2018-04-18,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=402517983 (precert),2018-04-18,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=402397774 (precert),2018-04-18,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=402398302 (precert),2018-04-18,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=402518168 (precert),2018-04-18,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=405252919 (precert),2018-04-19,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=405428425 (precert),2018-04-19,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=405320043 (precert),2018-04-19,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=405650705 (precert),2018-04-19,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=407727175 (precert),2018-04-20,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=408567523 (precert),2018-04-20,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=407726959 (precert),2018-04-20,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=408398016 (precert),2018-04-20,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=407775454 (precert),2018-04-20,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=445990399 (precert),2018-05-07,2020-04-22,DigiCert ECC Extended Validation Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=445990393 (precert),2018-05-07,2020-04-22,DigiCert ECC Extended Validation Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=506898653 (precert),2018-06-05,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=507076634 (precert),2018-06-05,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=506887565 (precert),2018-06-05,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=506434984 (precert),2018-06-05,2020-04-22,DigiCert ECC Extended Validation Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=507076708 (precert),2018-06-05,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=506948039 (precert),2018-06-05,2020-04-22,DigiCert ECC Extended Validation Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=506887802 (precert),2018-06-05,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=506948054 (precert),2018-06-05,2020-04-22,DigiCert ECC Extended Validation Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=507154802 (precert),2018-06-05,2020-04-22,DigiCert ECC Extended Validation Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=506898230 (precert),2018-06-05,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=506948047 (precert),2018-06-05,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=507154823 (precert),2018-06-05,2020-04-22,DigiCert ECC Extended Validation Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=507154841 (precert),2018-06-05,2020-03-26,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=522535646 (precert); https://crt.sh/?id=622827391 (final),2018-06-12,2019-08-16,DigiCert ECC Extended Validation Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=606393730 (precert),2018-07-18,2020-04-22,DigiCert ECC Extended Validation Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=608042643 (precert),2018-07-23,2020-04-22,DigiCert ECC Extended Validation Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=672145352 (precert); https://crt.sh/?id=742428676 (final),2018-08-24,2019-12-11,DigiCert ECC Extended Validation Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=674664493 (precert); https://crt.sh/?id=803624762 (final),2018-08-25,2019-08-29,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=692964713 (precert),2018-08-29,2020-09-02,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=737110826 (precert),2018-09-11,2020-04-22,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=791808156 (precert),2018-09-27,2019-10-02,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=1007986939 (precert); https://crt.sh/?id=1012407236 (final),2018-12-07,2020-11-09,DigiCert ECC Extended Validation Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=1096256425 (precert),2019-01-09,2020-04-22,DigiCert Global CA G3,P-384,ecdsa-with-SHA512
https://crt.sh/?id=1159190961 (precert),2019-01-30,2020-12-23,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=1166047488 (precert); https://crt.sh/?id=1176344626 (final),2019-02-02,2020-12-23,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=1173085182 (precert),2019-02-05,2019-06-04,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512
https://crt.sh/?id=1176942189 (precert); https://crt.sh/?id=1182457414 (final),2019-02-06,2020-12-18,DigiCert ECC Secure Server CA,P-384,ecdsa-with-SHA512

Thanks,
Corey

[Jakob Bohm]

Using the same DSA or ECDSA key with more than one hash algorithm
violates the cryptographic design of DSA/ECDSA, because those don't
include a hash identifier into the signature calculation. It's
insecure to even accept such signatures, as it would make the
signature checking code vulnerable to 2nd pre-image attacks on the
hash algorithm not used by the actual signer to generate
signatures. It would also be vulnerable to cross-hash pre-image
attacks that are otherwise not considered weaknesses in the hash
algorithms.

Furthermore the FIPS essentially (if not explicitly) require using
a shortened 384-bit variant of SHA-512 as input to P-384 ECDSA,
and the only approved such shortened version is, in fact, SHA-384.

Using the same P-384 ECDSA key pair with both SHA-384 and
SHA-3-384 might be within some readings of the FIPS, but would
still be vulnerable to the issue above (imagine a pre-image
weakness being found in either hash algorithm, all signatures
with such a key would then become suspect).


Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

[Wayne Thayer]

Thanks Corey and Jakob, I opened a bug for this:
https://bugzilla.mozilla.org/show_bug.cgi?id=1527423

Corey, did you report this via DigiCert's problem reporting mechanism?

Thanks,

Wayne

On Mon, Feb 11, 2019 at 8:01 PM Jakob Bohm via dev-security-policy <
dev-secur...@lists.mozilla.org> wrote:

> On 10/02/2019 02:55, Corey Bonnell wrote:

> Using the same DSA or ECDSA key with more than one hash algorithm
> violates the cryptographic design of DSA/ECDSA, because those don't
> include a hash identifier into the signature calculation. It's
> insecure to even accept such signatures, as it would make the
> signature checking code vulnerable to 2nd pre-image attacks on the
> hash algorithm not used by the actual signer to generate
> signatures. It would also be vulnerable to cross-hash pre-image
> attacks that are otherwise not considered weaknesses in the hash
> algorithms.
>
> Furthermore the FIPS essentially (if not explicitly) require using
> a shortened 384-bit variant of SHA-512 as input to P-384 ECDSA,
> and the only approved such shortened version is, in fact, SHA-384.
>
> Using the same P-384 ECDSA key pair with both SHA-384 and
> SHA-3-384 might be within some readings of the FIPS, but would
> still be vulnerable to the issue above (imagine a pre-image
> weakness being found in either hash algorithm, all signatures
> with such a key would then become suspect).
>
>
> Enjoy
>
> Jakob
> --
> Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
> Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
> This public discussion message is non-binding and may contain errors.
> WiseMo - Remote Service Management for PCs, Phones and Embedded

[Corey Bonnell]

I didn't report this issue to Digicert's problem reporting mechanism as I believe this is not a mis-issuance under the Baseline Requirements, but rather a violation specific to Mozilla Root Store Policy (section 6.1.5 of the Baseline Requirements does not mandate any curve/hash pairs).