You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
After testing your implementation of PKCS#1 v1.5 Signature Verification, I noticed it fails to check that end of padding is actually 0x00 and it can take any arbitrary value.
I think the issue exists because in pkcs1_pad(), line 356, after peeling off the padding bytes (0xFF...FF), the end of padding here can be any arbitrary byte to get us out of the loop. No signature forgery, just a minor leniency.
--Daniel
The text was updated successfully, but these errors were encountered:
I think commit 1c9ea9e fixes this and enforces the hash length better.
PS: This is old code implementing an old standard that I particularly dislike and can't find the time to rewrite in a better way.
I'm strongly considering to just remove it altogether if no one speaks up. :)
Hi,
After testing your implementation of PKCS#1 v1.5 Signature Verification, I noticed it fails to check that end of padding is actually
0x00
and it can take any arbitrary value.I think the issue exists because in
pkcs1_pad()
, line 356, after peeling off the padding bytes (0xFF...FF), the end of padding here can be any arbitrary byte to get us out of the loop. No signature forgery, just a minor leniency.--Daniel
The text was updated successfully, but these errors were encountered: