Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Implement RSA verification #4952

Draft
wants to merge 11 commits into
base: master
Choose a base branch
from
Draft

Implement RSA verification #4952

wants to merge 11 commits into from

Conversation

Amxx
Copy link
Collaborator

@Amxx Amxx commented Mar 12, 2024

Work in progress. Based on https://github.com/adria0/SolRsaVerify

Tests:

For now, only sha256 is supported. @nobles/hash provides all the function we need to generate the digest, and SigVer15_186-3.rsp contains more tests.

Do we want to support more?

PR Checklist

  • Tests
  • Documentation
  • Changeset entry (run npx changeset add)

Copy link

changeset-bot bot commented Mar 12, 2024

⚠️ No Changeset found

Latest commit: fe0927f

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

Copy link
Member

@ernestognw ernestognw left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Managed to navigate through RFC 8017 and mostly looks good.

unchecked {
// cache and check length
uint256 length = mod.length;
if (length < 0x40 || length != sig.length) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess we reject length less than 0x40 because it wouldn't be secure. I wonder if 0x40 was arbitrarily chosen. If so, we need to evaluate it carefully, as far as I remember, RSA's security is p * q so a 512 bits signature is crackable in reasonable time.

Found this as a reference, but seems like 512 bits (0x40 bytes) signatures are pretty much broken.
https://github.com/tomrittervg/cloud-and-control/blob/master/gnfs-info/factoring-howto.txt

RFC 3447 is from 2003 and was superseded by RFC 8017, though, I couldn't find a recommendation for the mod length. Allegedly, 512 bits security was first broken in 1999, so my estimations say that we might increase this to 0x80 at least.

Needs discussion

contracts/utils/cryptography/RSA.sol Show resolved Hide resolved
Comment on lines +73 to +86
if (_unsafeReadBytes1(buffer, length - 50) == 0x31) {
// case: sha256Explicit
offset = 0x34;
params = 0x003031300d060960864801650304020105000420000000000000000000000000;
mask = 0xffffffffffffffffffffffffffffffffffffffff000000000000000000000000;
} else if (_unsafeReadBytes1(buffer, length - 48) == 0x2F) {
// case: sha256Implicit
offset = 0x32;
params = 0x00302f300b060960864801650304020104200000000000000000000000000000;
mask = 0xffffffffffffffffffffffffffffffffffff0000000000000000000000000000;
} else {
// unknown
return false;
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

From the RFC, Section 9.2 defines the algorithm identifier, but turns out the explicit NULL param is mentioned in Appendix C.

Allowed EMSA-PKCS1-v1_5 digest algorithms.

PKCS1-v1-5DigestAlgorithms ALGORITHM-IDENTIFIER ::= {
{ OID id-md2 PARAMETERS NULL }|
{ OID id-md5 PARAMETERS NULL }|
{ OID id-sha1 PARAMETERS NULL }|
{ OID id-sha224 PARAMETERS NULL }|
{ OID id-sha256 PARAMETERS NULL }|
{ OID id-sha384 PARAMETERS NULL }|
{ OID id-sha512 PARAMETERS NULL }|
{ OID id-sha512-224 PARAMETERS NULL }|
{ OID id-sha512-256 PARAMETERS NULL }
}

When id-md2 and id-md5 are used in an AlgorithmIdentifier, the
parameters field shall have a value of type NULL.

When id-sha1, id-sha224, id-sha256, id-sha384, id-sha512,
id-sha512-224, and id-sha512-256 are used in an
AlgorithmIdentifier, the parameters (which are optional) SHOULD be
omitted, but if present, they SHALL have a value of type NULL.
However, implementations MUST accept AlgorithmIdentifier values
both without parameters and with NULL parameters.

Pending to verify it, but then the byte difference between 0x31 and 0x2F should come from the explicit null param (that is 05 00). I'm just not sure how to encode that section explicitly,

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

2 participants