New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
crypto/rsa: invalid RIPEMD160 hash prefix #35495
Comments
This test // Issue 35495: ensure that the hash prefixes from
// RFC 4880 Section 5.2.2 correctly match what we have.
func TestCheckHashPrefixes(t *testing.T) {
want := []struct {
name string
hash crypto.Hash
wantPrefix []byte
}{
{"MD5", crypto.MD5, []byte{0x30, 0x20, 0x30, 0x0C, 0x06, 0x08, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x02, 0x05, 0x05, 0x00, 0x04, 0x10}},
{"SHA1", crypto.SHA1, []byte{0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0E, 0x03, 0x02, 0x1A, 0x05, 0x00, 0x04, 0x14}},
{"SHA224", crypto.SHA224, []byte{0x30, 0x2d, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x04, 0x05, 0x00, 0x04, 0x1c}},
{"SHA256", crypto.SHA256, []byte{0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20}},
{"SHA384", crypto.SHA384, []byte{0x30, 0x41, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02, 0x05, 0x00, 0x04, 0x30}},
{"SHA512", crypto.SHA512, []byte{0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x05, 0x00, 0x04, 0x40}},
{"RIPEMD-160", crypto.RIPEMD160, []byte{0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2B, 0x24, 0x03, 0x02, 0x01, 0x05, 0x00, 0x04, 0x14}},
}
for _, tt := range want {
t.Run(tt.name, func(t *testing.T) {
gotPrefix := hashPrefixes[tt.hash]
if g, w := gotPrefix, tt.wantPrefix; !bytes.Equal(g, w) {
t.Fatalf("Hash prefix mismatch:\nGot: % x\nWant: % x", g, w)
}
})
}
} when added to pkcs1v15_test.go prints out $ go test -run=HashPrefixes
--- FAIL: TestHashPrefixes (0.00s)
--- FAIL: TestHashPrefixes/RIPEMD-160 (0.00s)
pkcs1v15_test.go:321: Hash prefix mismatch:
Got: 30 20 30 08 06 06 28 cf 06 03 00 31 04 14
Want: 30 21 30 09 06 05 2b 24 03 02 01 05 00 04 14
FAIL
exit status 1
FAIL crypto/rsa 0.006s |
Thank you for opening an issue. I don't disagree we have a prefix that's different from the OpenPGP RFC, but I would want to understand why, and why no one noticed so far. Also, an OpenPGP RFC is not exactly the authoritative source for RSA PKCS#1 v1.5. For example, they got the SHA-224 one wrong. https://www.rfc-editor.org/errata/eid2270 (Why do you have the correct one in your test?) |
Looks like they are both RIPEMD-160 object identifiers. This is the one we have
and this is the OpenPGP one (which for some reason has a NULL in the prefix as well)
Since ours is the ISO one, and it has served us until now, I don't think we should change it. |
@FiloSottile there may be two different OIDs for RIPEMD-160. However, the OID specified in RFC4880 (the Teletrust one) is the same one that's used by OpenSSL when creating RSASSA-PKCS1-v1_5 signatures with RIPEMD-160 as the digest algorithm. So, I believe that using the ISO OID will generate signatures that are not compatible with OpenSSL. The Teletrust OID is also used by at least one large HSM vendor (nCipher). RIPEMD-160 is not mentioned in https://tools.ietf.org/html/rfc8017 so it's unclear what OID should be used, but OpenSSL is very widely deployed so it might be worth it to aim for compatibility with it. It's not a commonly-used hash algorithm so maybe it doesn't matter that much. |
I am coming here from @ragansa's CL https://go-review.googlesource.com/c/go/+/203480/ and filing this issue so as to fast track that CL as it was submitted before the Go1.14 freeze start.
The issue is that we've got
go/src/crypto/rsa/pkcs1v15.go
Lines 200 to 217 in 47bc240
and in particular for RIPEMD160, we've got
go/src/crypto/rsa/pkcs1v15.go
Line 216 in 47bc240
but RFC 4880 says https://tools.ietf.org/html/rfc4880#section-5.2.2
i.e. should be
That code has been in for 9 years but this is the first report. This issue to have any discussions as well as attach it to the CL that spawned this.
Kindly ping our cryptographers @FiloSottile @agl @veorq.
The text was updated successfully, but these errors were encountered: