Re: [webauthn] Signature format needs to be defined from =JeffH via GitHub on 2018-02-15 (public-webauthn@w3.org from February 2018)

From: =JeffH via GitHub <sysbot+gh@w3.org>
Date: Thu, 15 Feb 2018 23:56:18 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-366102357-1518738977-sysbot+gh@w3.org>

@nadalin: this is a technical issue.

@selfissued wrote:
> look at https://tools.ietf.org/html/rfc8017#appendix-A.2.4 (RSASSA-PKCS-v1_5). It contains definitions for both DigestInfo, which includes an ASN.1 OID for the digest algorithm, and for "digest", which doesn't.  

AFAICT, https://tools.ietf.org/html/rfc8017#appendix-A.2.4 is describing only the object identifier for RSASSA-PKCS-v1_5, and the `digest` is actually a **hash value**, not a resulting signature per se.  E.g., see the definition for [EMSA-PKCS1-v1_5](https://tools.ietf.org/html/rfc8017#section-9.2) wherein DigestInfo is utilized.

WRT the actual signature values produced by the two "Signature Generation Operation"s given in RFC8017  ([RSASSA-PSS-SIGN](https://tools.ietf.org/html/rfc8017#section-8.1.1), [RSASSA-PKCS1-V1_5-SIGN](https://tools.ietf.org/html/rfc8017#section-8.2.1)) , it appears their output is specified as a "plain" (aka "raw") octet string (i.e., _**not**_ an ASN.1 OCTET STRING):
```
Output:

      S        signature, an octet string of length k, where k is the
               length in octets of the RSA modulus n
```
In the case of [ECDSA](https://tools.ietf.org/html/rfc8152#section-8.1) in RFC8152, it appears the signature output is also a "plain" (aka "raw") octet string ([as @agl effectively notes above](https://github.com/w3c/webauthn/issues/799#issuecomment-366025885)):
```
Using the function [I2OSP] defined in [RFC8017], the signature is:
   Signature = I2OSP(R, n) | I2OSP(S, n)
   where n = ceiling(key_length / 8)
```
To note: 

[U2F clearly defines that the signature value](https://fidoalliance.org/specs/fido-u2f-v1.2-ps-20170411/fido-u2f-raw-message-formats-v1.2-ps-20170411.html#registration-response-message-success) "..is encoded in ANSI X9.62 format..."  This aligns with [RFC3279](https://tools.ietf.org/html/rfc3279#section-2.2.3). 

[webauthn states only that](https://w3c.github.io/webauthn/#alg-identifier): "A COSEAlgorithmIdentifier's value is a number identifying a cryptographic algorithm. The algorithm identifiers SHOULD be values registered in the IANA COSE Algorithms registry [IANA-COSE-ALGS-REG]..."  These appear to produce "plain" (aka "raw") octet string signature values, [as @agl notes above](https://github.com/w3c/webauthn/issues/799#issuecomment-366025885), and [as @jimsh notes above](https://github.com/w3c/webauthn/issues/799#issuecomment-366025866). 

In any case, webauthn ought to clarify the signature value encoding format in the case of specific signature algorithms.  We may wish to also specify a set of recommended signature algs rather than leaving it open to any/all of the sig algs listed in the IANA COSE Algorithms registry, such that RPs have a constrained set of sig algs to implement.  

For example, see how we did this in [Token Binding Protocol](https://tools.ietf.org/html/draft-ietf-tokbind-protocol-16#section-3.3). 





-- 
GitHub Notification of comment by equalsJeffH
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/799#issuecomment-366102357 using your GitHub account

Received on Thursday, 15 February 2018 23:56:22 UTC