-
Notifications
You must be signed in to change notification settings - Fork 11.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement RSA verification #4952
base: master
Are you sure you want to change the base?
Changes from 10 commits
b9f144c
41949e6
0abe46b
0a1691c
1189ae7
d98a3f9
2ef35d1
f110d43
6dcc26d
1b2ba49
fe0927f
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,118 @@ | ||
// SPDX-License-Identifier: MIT | ||
pragma solidity ^0.8.20; | ||
|
||
import {Math} from "../math/Math.sol"; | ||
|
||
/** | ||
* TODO: | ||
* - Further optimize ? | ||
* - Write documentation | ||
* | ||
* Inspired by Adrià Massanet's work: https://github.com/adria0/SolRsaVerify | ||
*/ | ||
library RSA { | ||
/** | ||
* @dev Verifies a PKCSv1.5 SHA256 signature | ||
* @param data to verify | ||
* @param sig is the signature | ||
* @param exp is the exponent | ||
* @param mod is the modulus | ||
*/ | ||
function pkcs1Sha256( | ||
bytes memory data, | ||
bytes memory sig, | ||
bytes memory exp, | ||
bytes memory mod | ||
) internal view returns (bool) { | ||
return pkcs1Sha256(sha256(data), sig, exp, mod); | ||
} | ||
|
||
/** | ||
* @dev Verifies a PKCSv1.5 SHA256 signature | ||
* @param digest is the sha256 of the data | ||
* @param sig is the signature | ||
* @param exp is the exponent | ||
* @param mod is the modulus | ||
*/ | ||
function pkcs1Sha256( | ||
bytes32 digest, | ||
bytes memory sig, | ||
bytes memory exp, | ||
bytes memory mod | ||
) internal view returns (bool) { | ||
unchecked { | ||
// cache and check length | ||
uint256 length = mod.length; | ||
if (length < 0x40 || length != sig.length) { | ||
ernestognw marked this conversation as resolved.
Show resolved
Hide resolved
|
||
return false; | ||
} | ||
|
||
(bool success, bytes memory buffer) = Math.tryModExp(sig, exp, mod); | ||
if (!success) { | ||
return false; | ||
} | ||
|
||
// Check that buffer is well encoded: | ||
// buffer ::= 0x00 | 0x01 | PS | 0x00 | DigestInfo | ||
// | ||
// With | ||
// - PS is padding filled with 0xFF | ||
// - DigestInfo ::= SEQUENCE { | ||
// digestAlgorithm AlgorithmIdentifier, | ||
// [optional algorithm parameters] | ||
// digest OCTET STRING | ||
// } | ||
|
||
// Get AlgorithmIdentifier from the DigestInfo, and set the config accordingly | ||
// - params: includes 00 + first part of DigestInfo | ||
// - mask: filter to check the params | ||
// - offset: length of the suffix (including digest) | ||
bytes32 params; | ||
bytes32 mask; | ||
uint256 offset; | ||
if (_unsafeReadBytes1(buffer, length - 50) == 0x31) { | ||
// case: sha256Explicit | ||
offset = 0x34; | ||
params = 0x003031300d060960864801650304020105000420000000000000000000000000; | ||
mask = 0xffffffffffffffffffffffffffffffffffffffff000000000000000000000000; | ||
} else if (_unsafeReadBytes1(buffer, length - 48) == 0x2F) { | ||
// case: sha256Implicit | ||
offset = 0x32; | ||
params = 0x00302f300b060960864801650304020104200000000000000000000000000000; | ||
mask = 0xffffffffffffffffffffffffffffffffffff0000000000000000000000000000; | ||
} else { | ||
// unknown | ||
return false; | ||
} | ||
Comment on lines
+73
to
+86
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. From the RFC, Section 9.2 defines the algorithm identifier, but turns out the explicit NULL param is mentioned in Appendix C.
Pending to verify it, but then the byte difference between |
||
|
||
// Length is at least 0x40 and offset is at most 0x34, so this is safe. There is always some padding. | ||
uint256 paddingEnd = length - offset; | ||
|
||
// The padding has variable (arbitrary) length, so we check it byte per byte in a loop. | ||
for (uint256 i = 2; i < paddingEnd; ++i) { | ||
if (_unsafeReadBytes1(buffer, i) != 0xFF) { | ||
return false; | ||
} | ||
} | ||
// All the other parameters are small enough to fit in a bytes32, so we can check them directly. | ||
return | ||
bytes2(0x0001) == _unsafeReadBytes2(buffer, 0x00) && | ||
params == _unsafeReadBytes32(buffer, paddingEnd) & mask && | ||
digest == _unsafeReadBytes32(buffer, length - 0x20); | ||
} | ||
} | ||
|
||
function _unsafeReadBytes32(bytes memory array, uint256 offset) private pure returns (bytes32 result) { | ||
assembly { | ||
result := mload(add(add(array, 0x20), offset)) | ||
} | ||
} | ||
|
||
function _unsafeReadBytes1(bytes memory array, uint256 offset) private pure returns (bytes1) { | ||
return bytes1(_unsafeReadBytes32(array, offset)); | ||
} | ||
|
||
function _unsafeReadBytes2(bytes memory array, uint256 offset) private pure returns (bytes2) { | ||
return bytes2(_unsafeReadBytes32(array, offset)); | ||
} | ||
} |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
const path = require('path'); | ||
const fs = require('fs'); | ||
|
||
module.exports = function* parse(file) { | ||
const cache = {}; | ||
const data = fs.readFileSync(path.resolve(__dirname, file), 'utf8'); | ||
for (const line of data.split('\r\n')) { | ||
const groups = line.match(/^(?<key>\w+) = (?<value>\w+)(?<extra>.*)$/)?.groups; | ||
if (groups) { | ||
const { key, value, extra } = groups; | ||
cache[key] = value; | ||
if (groups.key === 'Result') { | ||
yield Object.assign({ extra: extra.trim() }, cache); | ||
} | ||
} | ||
} | ||
}; |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,69 @@ | ||
const { ethers } = require('hardhat'); | ||
const { expect } = require('chai'); | ||
const { loadFixture } = require('@nomicfoundation/hardhat-network-helpers'); | ||
|
||
const parse = require('./RSA.helper'); | ||
|
||
async function fixture() { | ||
return { mock: await ethers.deployContract('$RSA') }; | ||
} | ||
|
||
describe('RSA', function () { | ||
beforeEach(async function () { | ||
Object.assign(this, await loadFixture(fixture)); | ||
}); | ||
|
||
// Load test cases from file SigVer15_186-3.rsp from: | ||
// https://csrc.nist.gov/CSRC/media/Projects/Cryptographic-Algorithm-Validation-Program/documents/dss/186-2rsatestvectors.zip | ||
describe('SigVer15_186-3.rsp tests', function () { | ||
for (const test of parse('SigVer15_186-3.rsp')) { | ||
const { length } = Buffer.from(test.S, 'hex'); | ||
|
||
/// For now, RSA only supports digest that are 32bytes long. If we ever extend that, we can use these hashing functions for @noble: | ||
// const { sha1 } = require('@noble/hashes/sha1'); | ||
// const { sha224, sha256 } = require('@noble/hashes/sha256'); | ||
// const { sha384, sha512 } = require('@noble/hashes/sha512'); | ||
|
||
if (test.SHAAlg === 'SHA256') { | ||
it(`signature length ${length} ${test.extra}`, async function () { | ||
const data = '0x' + test.Msg; | ||
const sig = '0x' + test.S; | ||
const exp = '0x' + test.e; | ||
const mod = '0x' + test.n; | ||
const result = test.Result === 'P'; | ||
|
||
expect(await this.mock.$pkcs1Sha256(ethers.Typed.bytes32(ethers.sha256(data)), sig, exp, mod)).to.equal( | ||
result, | ||
); | ||
expect(await this.mock.$pkcs1Sha256(ethers.Typed.bytes(data), sig, exp, mod)).to.equal(result); | ||
}); | ||
} | ||
} | ||
}); | ||
|
||
describe('others tests', function () { | ||
it(`openssl`, async function () { | ||
const data = ethers.toUtf8Bytes('hello world'); | ||
const sig = | ||
'0x079bed733b48d69bdb03076cb17d9809072a5a765460bc72072d687dba492afe951d75b814f561f253ee5cc0f3d703b6eab5b5df635b03a5437c0a5c179309812f5b5c97650361c645bc99f806054de21eb187bc0a704ed38d3d4c2871a117c19b6da7e9a3d808481c46b22652d15b899ad3792da5419e50ee38759560002388'; | ||
const exp = | ||
'0x0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010001'; | ||
const mod = | ||
'0xdf3edde009b96bc5b03b48bd73fe70a3ad20eaf624d0dc1ba121a45cc739893741b7cf82acf1c91573ec8266538997c6699760148de57e54983191eca0176f518e547b85fe0bb7d9e150df19eee734cf5338219c7f8f7b13b39f5384179f62c135e544cb70be7505751f34568e06981095aeec4f3a887639718a3e11d48c240d'; | ||
expect(await this.mock.$pkcs1Sha256(ethers.Typed.bytes(data), sig, exp, mod)).to.be.true; | ||
}); | ||
|
||
// According to RFC4055, pg.5 and RFC8017, pg. 64, for SHA-1, and the SHA-2 family, | ||
// the algorithm parameter has to be NULL and both explicit NULL parameter and implicit | ||
// NULL parameter (ie, absent NULL parameter) are considered to be legal and equivalent. | ||
it(`rfc8017 implicit null parameter`, async function () { | ||
const data = ethers.toUtf8Bytes('hello world!'); | ||
const sig = | ||
'0xa0073057133ff3758e7e111b4d7441f1d8cbe4b2dd5ee4316a14264290dee5ed7f175716639bd9bb43a14e4f9fcb9e84dedd35e2205caac04828b2c053f68176d971ea88534dd2eeec903043c3469fc69c206b2a8694fd262488441ed8852280c3d4994e9d42bd1d575c7024095f1a20665925c2175e089c0d731471f6cc145404edf5559fd2276e45e448086f71c78d0cc6628fad394a34e51e8c10bc39bfe09ed2f5f742cc68bee899d0a41e4c75b7b80afd1c321d89ccd9fe8197c44624d91cc935dfa48de3c201099b5b417be748aef29248527e8bbb173cab76b48478d4177b338fe1f1244e64d7d23f07add560d5ad50b68d6649a49d7bc3db686daaa7'; | ||
const exp = '0x03'; | ||
const mod = | ||
'0xe932ac92252f585b3a80a4dd76a897c8b7652952fe788f6ec8dd640587a1ee5647670a8ad4c2be0f9fa6e49c605adf77b5174230af7bd50e5d6d6d6d28ccf0a886a514cc72e51d209cc772a52ef419f6a953f3135929588ebe9b351fca61ced78f346fe00dbb6306e5c2a4c6dfc3779af85ab417371cf34d8387b9b30ae46d7a5ff5a655b8d8455f1b94ae736989d60a6f2fd5cadbffbd504c5a756a2e6bb5cecc13bca7503f6df8b52ace5c410997e98809db4dc30d943de4e812a47553dce54844a78e36401d13f77dc650619fed88d8b3926e3d8e319c80c744779ac5d6abe252896950917476ece5e8fc27d5f053d6018d91b502c4787558a002b9283da7'; | ||
expect(await this.mock.$pkcs1Sha256(ethers.Typed.bytes(data), sig, exp, mod)).to.be.true; | ||
}); | ||
}); | ||
}); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I guess we reject length less than
0x40
because it wouldn't be secure. I wonder if0x40
was arbitrarily chosen. If so, we need to evaluate it carefully, as far as I remember, RSA's security isp * q
so a 512 bits signature is crackable in reasonable time.Found this as a reference, but seems like 512 bits (0x40 bytes) signatures are pretty much broken.
https://github.com/tomrittervg/cloud-and-control/blob/master/gnfs-info/factoring-howto.txt
RFC 3447 is from 2003 and was superseded by RFC 8017, though, I couldn't find a recommendation for the mod length. Allegedly, 512 bits security was first broken in 1999, so my estimations say that we might increase this to
0x80
at least.Needs discussion