RSA PKCS#1 v1.5 signature scheme verification incompatibility issue #19
Comments
The core problem we have with issue #19 is that we don't actually process the ASN.1 describing the hash function used. If we did, we could unwind this issue on our own ... maybe. There is a core issue here that, right now, the library is structured so that it doesn't need to know about all the hash functions the user might want. (Although it provides links to SHA for convenience.) Maintaining this ability while also properly handling ASN.1 case would likely require some state ... That being said, I don't know that I have any plans to add proper ASN.1 parsing to this library. Thus, this mechanism -- providing a specific hash function definition for this case -- is probably the only way forward.
|
OK, so I have mediocre news and bad news. The mediocre news is that you can make this work with the library as-is. What you have to do is provide a custom version of the hash function declaration, as follows: let customHash = HashInfo {
algorithmIdent = BS.pack [
0x30,0x2f,0x30,0x0b,0x06,0x09,0x60,0x86,
0x48,0x01,0x65,0x03,0x04,0x02,0x01,0x04,
0x20
],
hashFunction = bytestringDigest . sha256
}
in rsassa_pkcs1_v1_5_verify customHash pub m s_bytes)I've created a test case to show this off inside the repository, for reference. The bad news is that this is likely the best I'm going to do for you. The underlying problem, as noted in the commit message that adds this example, is that this library doesn't actually parse any ASN.1. That is, in fact, the reason for the Processing the ASN.1, would likely require a rethinking of this entire module's API. I admit, I'm unlikely to bite that bullet. If you'd like to, though, I'd be happy to chat about approaches / look at patches. |
I was testing PKCS#1 v1.5 signature verification as implemented in RSA package and noticed it rejects valid signature whose encoded message uses an implicit NULL parameter for hash algorithm (where digestAlgorithm ANS.1 der encoded does not have NULL parameter TLV; that is,
0x0500is absent).According to RFC4055, pg.5 and RFC8017, pg. 64, for SHA-1, and the SHA-2 family, the algorithm parameter has to be NULL and both explicit NULL parameter and implicit NULL parameter (ie, absent NULL parameter) are considered to be legal and equivalent. However, this implementation does not accept a valid PKCS input with implicit NULL parameter.
Reference notation and concrete values
N: public modulus|N|: length of public modulusd: private exponente: public exponentH: hash functionm: messageI: to-be-singed RSA PKCS#1 v1.5 signature scheme input structureS: signature value obtained byI^d mod NThe text was updated successfully, but these errors were encountered: