Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for RSA sign/verify with raw PKCS #1 data without DigestInfo #10226

Open
misterzed88 opened this issue Jan 22, 2024 · 3 comments
Open

Add support for RSA sign/verify with raw PKCS #1 data without DigestInfo #10226

misterzed88 opened this issue Jan 22, 2024 · 3 comments

Comments

@misterzed88
Copy link
Contributor

There are non-standard RSA signature formats where the PKCS #1-padded data is without DigestInfo. A few examples:

  • Some old Thawte and Verisign timestamp certificates.

  • Signed MD5/SHA1 hashes in TLS 1.1 or earlier (RFC 4346, section 4.7).

  • IKE version 1 signatures (RFC 2409, section 5.1).

By making it possible to support these formats the Cryptography library would be even more versatile and useful, broadening its user base.

The RSAPublicKey.recover_data_from_signature already supports these type of non-standard formats. (See issue #5495).

A straightfoward solution would be to extend the RSAPrivateKey.sign and RSAPublicKey.verify APIs to allow None in the in the algorithm parameter. This would also make these APIs symmetrical with RSAPublicKey.recover_data_from_signature, which accepts None for the exact same purpose.
@reaperhulk
Copy link
Member

Are there any test vectors we can use to confirm functionality here?

@misterzed88
Copy link
Contributor Author

The best I have found for now are NIST test vectors for RSA signatures, part of their Cryptographic Algorithm Validation Program (CAVP). The RSA test vector files are linked from the "Test Vectors" section.

The SigGen15_186-*.txt files contain the private exponent which makes it possible to create signatures in addition to verifying them.

Unfortunately the vector files do not contain data for the intermediary steps. So the test code has perform the low-level message encoding according to section 9.2 in RFC 3447. (It is quite straightforward).

I have also tried to find public test data for RSA-signatures of 36-byte TLS 1.1 MD5+SHA1 hash values, but so far without any luck.

@misterzed88
Copy link
Contributor Author

After spending considerable effort, I could not find any nice, public test vectors for the SSL/TLS 1.1 signature case (RSA-signed 36-bytes MD5+SHA1 hashes).

As an alternative, I could create a test vector for this case, by running a TLS handshake trace with OpenSSL, documenting the steps so it can be reproduced by others.

Would you have any use of a test vector created this way? Is there anything else I can help with to advance this feature request?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@reaperhulk @misterzed88