crypto/rsa: reject short signatures #21896
Comments
bradfitz
added
help wanted
NeedsFix
FiloSottile
added
the
early-in-cycle
|
This is very likely to break people, and unlikely to be a security issue (unless someone is relying on verifiable signatures not being malleable, but that is often regrettable anyway) so let's do it in early 1.12 instead of late 1.11. |
Per RFC 8017, reject signatures which are not the same length as the RSA modulus. This matches the behavior of SignPKCS1v15 which properly left pads the signatures it generates to the size of the modulus. Fixes golang#21896 Change-Id: I78cf5b225975263fe60aa3acdb458bd4d9cd8de0
Per RFC 8017, reject signatures which are not the same length as the RSA modulus. This matches the behavior of SignPKCS1v15 which properly left pads the signatures it generates to the size of the modulus. Fixes golang#21896 Change-Id: I78cf5b225975263fe60aa3acdb458bd4d9cd8de0
|
Change https://golang.org/cl/226203 mentions this issue: |
|
Change https://golang.org/cl/227651 mentions this issue: |
… VerifyRSAPKCS1v15 This matches the new crypto/rsa behavior introduced in CL 226203. Updates #21896 Change-Id: If04eeff933d7310c2baa0f8fd26907892c2397fd Reviewed-on: https://go-review.googlesource.com/c/go/+/227651 Run-TryBot: Filippo Valsorda <filippo@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Katie Hockman <katie@golang.org>
… VerifyRSAPKCS1v15 This matches the new crypto/rsa behavior introduced in CL 226203. Updates #21896 Change-Id: If04eeff933d7310c2baa0f8fd26907892c2397fd Reviewed-on: https://go-review.googlesource.com/c/go/+/227651 Run-TryBot: Filippo Valsorda <filippo@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Katie Hockman <katie@golang.org>
|
Hey! This change broke Flatcar Container Linux build infrastructure. The signatures for our files are generated with gpg ( I'm surprised that there's no way to disable this check and that there's no error message specific for this check. I had to go down a rather long rabbit hole to find out that this change was what causing my code to suddenly say I understand that the rest of the Go libraries do the right thing, but I'd expect the library to be able to maintain compatibility with gpg. Maybe through some option or something. |
|
crypto/rsa should not accept invalid signatures just because PGP generates them. We had fixed this in golang.org/x/crypto/openpgp years ago, and all its tests pass. If you have an example fo a PGP signature that doesn't validate with the latest golang.org/x/crypto/openpgp, please open a new issue with a reproduction test case. |
|
Thanks for the reply! After further investigation I found that the issue we were seeing was indeed due to having an old version of golang.org/x/crypto/openpgp in go.mod, which didn't have the fixes you mentioned. I've taken care of this and now the signature verifies correctly, even for the file with 593 bytes. Sorry for the noise. |
During dev.boringcrypto work, I discovered that x/crypto/openpgp tests depend on crypto/rsa accepting trimmed RSA signatures, in which leading zeros have been removed, while BoringSSL does not. @agl says that the Go library is in error and that such signatures are not valid. We should fix this (in master, not just dev.boringcrypto) for Go 1.10 and mark it in the release notes. Will need to fix openpgp first.
The text was updated successfully, but these errors were encountered: