CSAF Downloader - Signature verification for suse.com fails for SHA1 digest

[mgoetzegb]

Bug Summary

CSAF Downloader Signature verification for suse.com fails, but works with gpg in the command line. This issue appeared with the latest state in main (commit 1daaed2). The error is Invalid signature caused by openpgp: invalid data: hash algorithm or salt mismatch with cleartext message headers

To reproduce

Execute in a bash (like) shell in the repo root (with go installed):

git checkout 1daaed2c516d3fd674eb99c39dfc5f87ba43f78a # latest state on main, when issue was created
go run ./cmd/csaf_downloader --log_level debug -d suse suse.com

Currently gives the error message in the log (and same for all other csaf documents, execept for one)

{
    "time": "2024-12-03T15:47:16+01:00",
    "level": "ERROR",
    "msg": "Validation check failed",
    "error": "cannot verify signature for https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2016_1623-1.json: Signature Verification Error: Invalid signature caused by openpgp: invalid data: hash algorithm or salt mismatch with cleartext message headers"
}

Only a single signature verification out of 22278 CSAF documents from suse.com succeeded.

However when doing the verification via gpg in the command line, the verification succeeds:

# links are taken from the csaf downloader log, see full logs below
wget  https://ftp.suse.com/pub/projects/security/keys/security-automation.asc # public key
wget https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2016_1623-1.json # csaf document
wget https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2016_1623-1.json.asc # csaf document signature

gpg --import security-automation.asc
gpg --verify opensuse-su-2016_1623-1.json.asc opensuse-su-2016_1623-1.json

The output of the last command is:

gpg: Signature made Di 14 Mai 2024 17:09:30 CEST
gpg:                using RSA key D4439E7EC133994D
gpg: Good signature from "SUSE Security Automation Key (only for automation data) <[email protected]>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 6B62 473B D771 517D 41E6  84DF D443 9E7E C133 994D 

Expected behavior

Expected signature check to succeed, but it failed.

Full log output

To give context, the full log output of the command go run ./cmd/csaf_downloader --log_level debug -d suse suse.com until the first error message appeared :

{"time":"2024-12-03T15:47:15+01:00","level":"DEBUG","msg":"http","who":"downloader","method":"GET","url":"https://suse.com/.well-known/csaf/provider-metadata.json"}
{"time":"2024-12-03T15:47:15+01:00","level":"DEBUG","msg":"Redirecting","to":"https://www.suse.com/.well-known/csaf/provider-metadata.json","via":"https://suse.com/.well-known/csaf/provider-metadata.json"}
{"time":"2024-12-03T15:47:15+01:00","level":"DEBUG","msg":"http","who":"downloader","method":"GET","url":"https://suse.com/.well-known/security.txt"}
{"time":"2024-12-03T15:47:15+01:00","level":"DEBUG","msg":"Redirecting","to":"https://www.suse.com/.well-known/security.txt","via":"https://suse.com/.well-known/security.txt"}
{"time":"2024-12-03T15:47:15+01:00","level":"DEBUG","msg":"http","who":"downloader","method":"GET","url":"https://ftp.suse.com/pub/projects/security/keys/security-automation.asc"}
{"time":"2024-12-03T15:47:15+01:00","level":"DEBUG","msg":"http","who":"downloader","method":"GET","url":"https://ftp.suse.com/pub/projects/security/csaf/changes.csv"}
{"time":"2024-12-03T15:47:16+01:00","level":"DEBUG","msg":"http","who":"downloader","method":"GET","url":"https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2016_1623-1.json"}
{"time":"2024-12-03T15:47:16+01:00","level":"DEBUG","msg":"http","who":"downloader","method":"GET","url":"https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2016_1769-1.json"}
{"time":"2024-12-03T15:47:16+01:00","level":"DEBUG","msg":"http","who":"downloader","method":"GET","url":"https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2016_1769-1.json.sha256"}
{"time":"2024-12-03T15:47:16+01:00","level":"DEBUG","msg":"http","who":"downloader","method":"GET","url":"https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2016_1623-1.json.sha256"}
{"time":"2024-12-03T15:47:16+01:00","level":"DEBUG","msg":"http","who":"downloader","method":"GET","url":"https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2016_1623-1.json.sha512"}
{"time":"2024-12-03T15:47:16+01:00","level":"DEBUG","msg":"http","who":"downloader","method":"GET","url":"https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2016_1769-1.json.sha512"}
{"time":"2024-12-03T15:47:16+01:00","level":"WARN","msg":"Cannot fetch SHA512","url":"https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2016_1623-1.json.sha512","error":"fetching hash from 'https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2016_1623-1.json.sha512' failed: 404 Not Found (404)"}
{"time":"2024-12-03T15:47:16+01:00","level":"DEBUG","msg":"http","who":"downloader","method":"GET","url":"https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2016_1623-1.json.asc"}
{"time":"2024-12-03T15:47:16+01:00","level":"WARN","msg":"Cannot fetch SHA512","url":"https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2016_1769-1.json.sha512","error":"fetching hash from 'https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2016_1769-1.json.sha512' failed: 404 Not Found (404)"}
{"time":"2024-12-03T15:47:16+01:00","level":"DEBUG","msg":"http","who":"downloader","method":"GET","url":"https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2016_1769-1.json.asc"}
{"time":"2024-12-03T15:47:16+01:00","level":"ERROR","msg":"Validation check failed","error":"cannot verify signature for https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2016_1623-1.json: Signature Verification Error: Invalid signature caused by openpgp: invalid data: hash algorithm or salt mismatch with cleartext message headers"}

[bernhardreiter]

Thanks for reporting, we look into it.

[s-l-teichmann]

What we do at core is this:

sigcheck.tar.gz

leads to (after building):

./sigcheck -key security-automation.asc -sign opensuse-su-2016_1623-1.json.asc -doc opensuse-su-2016_1623-1.json.asc 
2024/12/04 17:15:15 error: Signature Verification Error: Invalid signature caused by openpgp: invalid data: hash algorithm or salt mismatch with cleartext message headers

[s-l-teichmann]

Running this in the debugger shows:

So it is SHA1 and that is none of the expected SHA224, SHA256, SHA384, SHA512, SHA3_256 or SHA3_512

[s-l-teichmann]

Mit gpg (GnuPG) 2.4.6:

 gpg --list-packet < security-automation.asc | grep "digest algo"
	digest algo 2, begin of digest 75 52
	digest algo 2, begin of digest 30 0c

Algo 2 is SHA-1 see https://www.rfc-editor.org/rfc/rfc4880#section-9.4

[s-l-teichmann]

ProtonMail/gopenpgp#101 (comment) (tnx @koplas for finding this)

There are at least some possible ways to act here.

1. Tell suse.com to stop using SHA-1 digests
2. We could use the lower level function openpgp.VerifyDetachedSignatureAndHash which allows to give our own list of hashes. In this case we have to do more than the more convenient one we use at the moment.
3. ... Check if a move from v2 to v3 of the library would ease this.

[bernhardreiter]

Using of SHA1 as digest algorithm is strongly discouraged. As CSAF 2.0 is a new application, there is no need for legacy support.

So this should be fixed on the suse.com's side.

References:

• https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TG02102/BSI-TR-02102-1.html (BSI TR-02102-1: "Cryptographic Mechanisms: Recommendations and Key Lengths" Version: 2024-1)
• https://www.nist.gov/news-events/news/2022/12/nist-retires-sha-1-cryptographic-algorithm

[mgoetzegb]

Thank you a lot for the very quick and detailed feedback.

It makes sense to me as well, not to support the outdated algorithm.

I reached out to SUSE and asked them if they could use a more secure algorithm for their signing.

[mgoetzegb]

One question regarding this: Does the csaf_uploader reject such a key as well, so that this is consistent in the tooling and the user can't use it to upload data which can't be downloaded with the CSAF Downloader?

[bernhardreiter]

Does the csaf_uploader reject such a key as well, so that this is consistent in the tooling and the user can't use it to upload data which can't be downloaded with the CSAF Downloader?

I currently don't know if we check the signatures if it externally provided.

But a good mode of the csaf_provider is that it does the signing as well and then it will be a modern OpenPGPv4 signature.

[bernhardreiter]

Does the csaf_uploader reject such a key as well, so that this is consistent in the tooling and the user can't use it to upload data which can't be downloaded with the CSAF Downloader?

The more common use of csaf_provider is to let it do the signing. In this case it will be a modern OpenPGPv4 signature.

You can upload an externally signed CSAF document as well, I currently do not know if the signature will be checked then.

[msmeissn]

fwiw i changed gpgs default hashing alg to SHA256 for the SUSE data.