Page MenuHome GnuPG
Create Task
Maniphest T8032

libksba: Input validation for DER encoded INTEGER
Closed, WontfixPublic
Actions

Description

libksba should validate input of DER encoded INTEGER to reject invalid data representation (like extra leading zeros/0xff).

X.690 says:

8.3 Encoding of an integer value
8.3.1 The encoding of an integer value shall be primitive. The contents octets shall consist of one or more octets.
8.3.2 If the contents octets of an integer value encoding consist of more than one octet, then the bits of the first octet and bit 8 of the second octet:
a) shall not all be ones; and
b) shall not all be zero.
NOTE – These rules ensure that an integer value is always encoded in the smallest possible number of octets.
8.3.3 The contents octets shall be a two's complement binary number equal to the integer value, and consisting of bits 8 to 1 of the first octet, followed by bits 8 to 1 of the second octet, followed by bits 8 to 1 of each octet in turn up to and including the last octet of the contents octets.
NOTE – The value of a two's complement binary number is derived by numbering the bits in the contents octets, starting with bit 1 of the last octet as bit zero and ending the numbering with bit 8 of the first octet. Each bit is assigned a numerical value of 2^N, where N is its position in the above numbering sequence. The value of the two's complement binary number is obtained by summing the numerical values assigned to each bit for those bits which are set to one, excluding bit 8 of the first octet, and then reducing this value by the numerical value assigned to bit 8 of the first octet if that bit is set to one.

libksba should validate input of DER encoded data (of any type) to reject non-canonical representations.

X.690 says:

10.1 Length forms
The definite form of length encoding shall be used, encoded in the minimum number of octets. [Contrast with 8.1.3.2 b).]

Details

External Link
https://lists.gnupg.org/pipermail/gnupg-devel/2026-January/036133.html

Event Timeline

gniibe created this task.Jan 14 2026, 3:02 AM
gniibe added a project: S/MIME.
werner added a subscriber: werner.EditedJan 14 2026, 10:07 AM

Some historic integer encoding glitches from Peter Gutmann's style guide:

Some Microsoft software will generate negative values about 50% of the time
whenever it encodes anything as an INTEGER because it ignores the fact that
the top bit of an integer is the sign bit (this is still occurring in
programs released as recently as early 1998).
Telesec:
The certificates encode INTEGER values incorrectly by setting the high bit,
which makes them negative values.  This is particularly problematic with RSA
keys since they use a hardwired exponent of 3,221,225,473 (!!!) which always
has the high bit set (0xC0000001), so all the RSA certificates have invalid
encodings.  This was corrected in late 1999.

The encoding of the Certificate may follow the BER rather than the DER. At
least one implementation uses the indefinite-length encoding form for the
SEQUENCE.

And I don't expect that that everything is correct now. As long as we don't have a clear security issue here, we should not add extra constraints on DER or even BER parsing.

thesamesam added a subscriber: thesamesam.Jan 14 2026, 8:24 PM
werner triaged this task as Low priority.Jan 16 2026, 11:01 AM

See the gnupg-devel mailing list for more discussions. Subject: libgcrypt P256 signature malleability via weak DER enforcement"

gniibe mentioned this in Unknown Object (Maniphest Task).Jan 19 2026, 3:05 AM
pl13 added a subscriber: pl13.Jan 20 2026, 11:47 AM
werner closed this task as Wontfix.Jan 21 2026, 10:39 AM
werner claimed this task.
werner lowered the priority of this task from Low to Wishlist.
gniibe added a comment.Tue, Mar 3, 1:25 AM

For the record (to show we don't hide a problem), I add some information.

The reporter published: https://github.com/JakeGinesin/gcrypt-p256-malleability-poc

gniibe added a comment.EditedTue, Mar 3, 1:51 AM

It seemed that the reporter (also) claimed that a git repo could be weak/vulnerable when X.509 signature (with a relevant curve key) is used to validate the commit.

Speaking about git and its use of cryptographic signature, I address some technical information here.
(Because I don't understand the reporter's claim)

  • When a representation of signature (which validates a commit with its public key) changes, commit id is changed, because the signature itself is a part of commit data to be hashed.
  • I don't think this causes a severe problem for a git repo. If this is somehow problematic, we should note that there are other possibilities for third person to change the representation of a signature inside a last commit (to publish at his own site), keeping the validation valid.
    • For PEM, the CR-LF ambiguity allows multiple representations in ASCII (which is used for git commit) when the signature is represented by multiple lines. See RFC7468.
    • (For OpenPGP, ASCII armor is more lax which allows multiple representation in ASCII other than CR-LF ambiguity.)
gniibe mentioned this in Unknown Object (Maniphest Task).Mon, Mar 9, 2:40 AM