Page MenuHome GnuPG
Create Task
Maniphest T6976

RSA PKCS#1v1.5 signatures with SHA3 use invalid encoding
Closed, ResolvedPublic
Actions

Description

libgcrypt does not correctly pad RSASSA-PKCS1-v1_5 signatures that use SHA-3, because it does not have the OIDs for SHA-3 set.

To reproduce, run the attached reproducer with sha3-224, sha3-256, sha3-384, or sha3-512 as argument (the same problem occurs with shake128 or shake256, but the reproducer cannot show that).

test.c4 KBDownload

  1. gcc -std=c99 -Wall -Werror -pedantic -o test test.c -lgcrypt
  2. ./test sha3-256 | sed 1d | sed -E 's/01(ff)*00//' | xxd -ps -r | openssl asn1parse -inform DER

Notes:

  • sed 1d removes the first line of output, which is the signature in hex
  • sed -E 's/01(ff)*00//' removes the PKCS#1 padding
  • xxd -ps -r converts the hex output to binary
  • openssl asn1parse -inform DER attempts to parse the resulting ASN.1
  • As an alternative to openssl asn1parse, other asn1parsers such as der2ascii can also be used

Details

Version
libgcrypt master

Revisions and Commits

rC libgcrypt
rCb3750fb42a44 sha3: Fill OIDs and partial ASN.1 structs.

Related Objects

Event Timeline

neverpanic created this task.Feb 5 2024, 5:37 PM
neverpanic added a comment.Feb 5 2024, 5:39 PM

I'm attaching a proposed patch. We should decide whether this is the correct encoding to use for SHAKE128 and SHAKE256, because they are variable-length output functions and there is an alternative encoding that has a field for the length, which is likely better suited, but currently not really well supported by libgcrypt (since this would be dynamic content in the ASN.1 encoding).

0001-sha3-Fill-OIDs-and-partial-ASN.1-structs.patch4 KBDownload

Note that this functionality will likely be required for FIPS certification according to FIPS 186-5, because otherwise PKCS#1v1.5 signatures with SHA-3 will not work correctly.

werner added projects: libgcrypt, FIPS.Feb 7 2024, 9:17 AM
werner triaged this task as Normal priority.Feb 7 2024, 9:20 AM
gniibe added a commit: rCb3750fb42a44: sha3: Fill OIDs and partial ASN.1 structs..Feb 9 2024, 8:32 AM
gniibe changed the task status from Open to Testing.Feb 9 2024, 8:32 AM
gniibe claimed this task.
gniibe added a subscriber: gniibe.

Applied the change. I write the ChangeLog entry by commit message.

werner mentioned this in T7165: Release Libgcrypt 1.11.0.Jun 19 2024, 11:37 AM
werner closed this task as Resolved.Jun 19 2024, 12:11 PM