pkcs1 verificiation too strict on algid encoding

Bug #1119552 reported by Jon Oberheide on 2013-02-08
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Python-Crypto
Undecided
Unassigned

Bug Description

I recently ran into an issue with the PKCS#1 v1.5 verification routines in pycrypto. The EMSA_PKCS1_V1_5_ENCODE routines build a DER object assuming that a Null object is present for the AlgorithmIdentifier parameters field:

https://github.com/dlitz/pycrypto/blob/master/lib/Crypto/Signature/PKCS1_v1_5.py#L211

Some crypto implementations generate signatures that omit the AlgId parameters field instead of including a Null object. Therefore, those signatures will fail when verified with pycrypto.

Other implementations (Bouncy Castle, OpenSSL) relax their verification routines to accept the signature whether or not the Null is present.

From http://www.ietf.org/rfc/rfc4055.txt:
"""
   There are two possible encodings for the AlgorithmIdentifier
   parameters field associated with these object identifiers. The two
   alternatives arise from the loss of the OPTIONAL associated with the
   algorithm identifier parameters when the 1988 syntax for
   AlgorithmIdentifier was translated into the 1997 syntax. Later the
   OPTIONAL was recovered via a defect report, but by then many people
   thought that algorithm parameters were mandatory. Because of this
   history some implementations encode parameters as a NULL element
   while others omit them entirely. The correct encoding is to omit the
   parameters field; however, when RSASSA-PSS and RSAES-OAEP were
   defined, it was done using the NULL parameters rather than absent
   parameters.

   All implementations MUST accept both NULL and absent parameters as
   legal and equivalent encodings.
"""

Legrandin (gooksankoo) wrote :

I created a fix and opened a pull request for this:

https://github.com/dlitz/pycrypto/pull/36

As I say in the comment, I branched it off from my pkcs8 branch mainly for cosmetic reason.
By changing one line it could be applied directly to main.

One last one. RFC 4055 only talks about SHA1/2 algorithms. RFC 3447 (PKCS#1 v2.1) says the same thing,
but it also says that any MD2/5-based signature must have the parameters (field with value NULL).
It is still mandatory in that case.

Legrandin (gooksankoo) wrote :

New pull request here:

https://github.com/dlitz/pycrypto/pull/42

Now with no dependencies on pkcs8 branch.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers