New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
crypto/rsa: PKCS#1 v1.5 signature scheme verification incompatibility issue #45322
Comments
As far as I can tell, the NULL must be explicit in PKCS#1 v1.5 signatures, and especially in finicky primitives like this we prefer to keep complexity at a minimum. From RFC 8017:
|
The cited paragraph specifies
which recommends accepting both versions in the signature verification. I believe since |
I think the text is fairly clear that the "Exception" paragraph overrides the previous one for Is this causing active compatibility issues? With what software/ecosystem? Even if the spec allowed both, we'd probably want to stick to the simplest implementation for safety reasons unless there is meaningful breakage. |
Your PKCS1v1.5 implementation was one of our many test subjects we've experimented for a compliancy check research project. |
I was testing PKCS#1 v1.5 signature verification as implemented in Go crypto package and noticed it rejects valid signature whose encoded message uses an implicit NULL parameter for hash algorithm (where digestAlgorithm ANS.1 der encoded does not have NULL parameter TLV; that is,
0x0500
is absent).According to RFC4055, pg.5 and RFC8017, pg. 64, for SHA-1, and the SHA-2 family, the algorithm parameter has to be NULL and both explicit NULL parameter and implicit NULL parameter (ie, absent NULL parameter) are considered to be legal and equivalent. However, this implementation does not accept a valid PKCS input with implicit NULL parameter.
Reference notation and concrete values
N
: public modulus|N|
: length of public modulusd
: private exponente
: public exponentH
: hash functionm
: messageI
: to-be-singed RSA PKCS#1 v1.5 signature scheme input structureS
: signature value obtained byI^d mod N
The text was updated successfully, but these errors were encountered: