Properly decoding STH signatures
45 views
Skip to first unread message
Walter Goulet
Feb 4, 2015, 10:02:24 AM2/4/15
to certificate-...@googlegroups.com
Hi,
I'm adding signed tree head signature verification to my CT client and
I'm having some trouble properly decoding the TLS serialized
tree_head_signature. My read of RFC 5246 is that the first 2 bytes of
a digitally signed structure specify the hash and signature algorithm,
with the remaining bytes containing the actual signature.
After testing and then looking at Google's reference implementation
here (https://github.com/google/certificate-transparency/blob/master/python/ct/crypto/verify.py)
I see that the signature length is encoded in the next 2 bytes, so
that you essentially need to skip ahead 4 bytes to get to the actual
signature.
Where is it specified that the digitally signed structure contains
both the hash/signature algorithm spec as well as the length? Section
4.7 of RFC 5246 states that the signature length is specified by the
signature algorithm & key.
Thanks,
Walter
I'm adding signed tree head signature verification to my CT client and
I'm having some trouble properly decoding the TLS serialized
tree_head_signature. My read of RFC 5246 is that the first 2 bytes of
a digitally signed structure specify the hash and signature algorithm,
with the remaining bytes containing the actual signature.
After testing and then looking at Google's reference implementation
here (https://github.com/google/certificate-transparency/blob/master/python/ct/crypto/verify.py)
I see that the signature length is encoded in the next 2 bytes, so
that you essentially need to skip ahead 4 bytes to get to the actual
signature.
Where is it specified that the digitally signed structure contains
both the hash/signature algorithm spec as well as the length? Section
4.7 of RFC 5246 states that the signature length is specified by the
signature algorithm & key.
Thanks,
Walter
Eran Messeri
Feb 4, 2015, 11:46:46 AM2/4/15
to certificate-...@googlegroups.com
You were at the right place: Section 4.7 of RFC5246 specifies DigitallySigned as:
struct {
SignatureAndHashAlgorithm algorithm;
opaque signature<0..2^16-1>;
} DigitallySigned;
with SignatureAndHashAlgorithm being:
struct {
HashAlgorithm hash;
SignatureAlgorithm signature;
} SignatureAndHashAlgorithm;
each of its fields are a single-byte enum.
The signature itself is opaque - section 4.3, Vectors, says:
"Variable-length vectors are defined by specifying a subrange of legal
lengths, inclusively, using the notation <floor..ceiling>. When
these are encoded, the actual length precedes the vector's contents
in the byte stream. The length will be in the form of a number
consuming as many bytes as required to hold the vector's specified
maximum (ceiling) length. "
Hope that answers your question,
Eran
--
You received this message because you are subscribed to the Google Groups "certificate-transparency" group.
To unsubscribe from this group and stop receiving emails from it, send an email to certificate-transp...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Walter Goulet
Feb 4, 2015, 7:10:03 PM2/4/15
to certificate-...@googlegroups.com
That's right; the same method used to encode ASN1.Certs. That answers my question perfectly; thanks!
Happy to report that my client successfully validates STH signatures now.
To unsubscribe from this group and stop receiving emails from it, send an email to certificate-transparency+unsub...@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages