From bb444c363334c514ac215077f3cf96b585f02a1d Mon Sep 17 00:00:00 2001 From: David Schinazi Date: Fri, 23 Jun 2023 17:33:16 -0700 Subject: [PATCH 1/2] Contextualize the signature itself --- draft-ietf-httpbis-unprompted-auth.md | 36 ++++++++++++++++++++++++--- 1 file changed, 33 insertions(+), 3 deletions(-) diff --git a/draft-ietf-httpbis-unprompted-auth.md b/draft-ietf-httpbis-unprompted-auth.md index bf5693707..ce86a937e 100644 --- a/draft-ietf-httpbis-unprompted-auth.md +++ b/draft-ietf-httpbis-unprompted-auth.md @@ -243,15 +243,45 @@ The key exporter context contains the following fields: Nonce: -: The nonce is to be signed using the client's chosen asymmetric private key. -The resulting signature is then transmitted to the server using the -p Parameter (see {{parameter-p}}). +: The nonce is part of the data signed using the client's chosen asymmetric +private key (see {{computation}}). Verification: : The verification is transmitted to the server using the v Parameter (see {{parameter-v}}). +## Signature Computation {#computation} + +Once the nonce has been extracted from the key exporter output (see +{{output}}), it is prefixed with static data before being signed to mitigate +issues caused by key reuse. The signature is computed over the concatenation of: + +* A string that consists of octet 32 (0x20) repeated 64 times + +* The context string "HTTP Signature Authentication" + +* A single 0 byte which serves as the separator + +* The nonce extracted from the key exporter output (see {{output}}) + +For example, if the nonce has all its 32 bytes set to 01, the content covered +by the signature (in hexadecimal format) would be: + +~~~ +2020202020202020202020202020202020202020202020202020202020202020 +2020202020202020202020202020202020202020202020202020202020202020 +48545450205369676E61747572652041757468656E7469636174696F6E +00 +0101010101010101010101010101010101010101010101010101010101010101 +~~~ + +This constructions mirrors that of the TLS 1.3 CertificateVerify message +defined in {{Section 4.4.3 of TLS}}. + +The resulting signature is then transmitted to the server using the p Parameter +(see {{parameter-p}}). + # Authentication Parameters This specification defines the following authentication parameters: From bcefa17b2b72f9663f32faf7a3dd2fbae7ccba90 Mon Sep 17 00:00:00 2001 From: David Schinazi Date: Mon, 26 Jun 2023 11:58:00 -0700 Subject: [PATCH 2/2] Apply suggestions from MT's review Co-authored-by: Martin Thomson --- draft-ietf-httpbis-unprompted-auth.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/draft-ietf-httpbis-unprompted-auth.md b/draft-ietf-httpbis-unprompted-auth.md index ce86a937e..edc8659db 100644 --- a/draft-ietf-httpbis-unprompted-auth.md +++ b/draft-ietf-httpbis-unprompted-auth.md @@ -261,7 +261,7 @@ issues caused by key reuse. The signature is computed over the concatenation of: * The context string "HTTP Signature Authentication" -* A single 0 byte which serves as the separator +* A single 0 byte which serves as a separator * The nonce extracted from the key exporter output (see {{output}}) @@ -279,7 +279,7 @@ by the signature (in hexadecimal format) would be: This constructions mirrors that of the TLS 1.3 CertificateVerify message defined in {{Section 4.4.3 of TLS}}. -The resulting signature is then transmitted to the server using the p Parameter +The resulting signature is then transmitted to the server using the `p` Parameter (see {{parameter-p}}). # Authentication Parameters