Page MenuHome GnuPG

RSA PKCS#1v1.5 signatures with SHA3 use invalid encoding
Testing, NormalPublic


libgcrypt does not correctly pad RSASSA-PKCS1-v1_5 signatures that use SHA-3, because it does not have the OIDs for SHA-3 set.

To reproduce, run the attached reproducer with sha3-224, sha3-256, sha3-384, or sha3-512 as argument (the same problem occurs with shake128 or shake256, but the reproducer cannot show that).

  1. gcc -std=c99 -Wall -Werror -pedantic -o test test.c -lgcrypt
  2. ./test sha3-256 | sed 1d | sed -E 's/01(ff)*00//' | xxd -ps -r | openssl asn1parse -inform DER


  • sed 1d removes the first line of output, which is the signature in hex
  • sed -E 's/01(ff)*00//' removes the PKCS#1 padding
  • xxd -ps -r converts the hex output to binary
  • openssl asn1parse -inform DER attempts to parse the resulting ASN.1
  • As an alternative to openssl asn1parse, other asn1parsers such as der2ascii can also be used


libgcrypt master

Revisions and Commits

Event Timeline

I'm attaching a proposed patch. We should decide whether this is the correct encoding to use for SHAKE128 and SHAKE256, because they are variable-length output functions and there is an alternative encoding that has a field for the length, which is likely better suited, but currently not really well supported by libgcrypt (since this would be dynamic content in the ASN.1 encoding).

Note that this functionality will likely be required for FIPS certification according to FIPS 186-5, because otherwise PKCS#1v1.5 signatures with SHA-3 will not work correctly.

werner triaged this task as Normal priority.Feb 7 2024, 9:20 AM
gniibe changed the task status from Open to Testing.Feb 9 2024, 8:32 AM
gniibe claimed this task.
gniibe added a subscriber: gniibe.

Applied the change. I write the ChangeLog entry by commit message.