Exponent 3 damage spreads...

Mon Sep 11 20:53:31 EDT 2006

Jostein Tveit wrote:
> Anyone got a test key with a real and a forged signature to test
> other implementations than OpenSSL?
Well, since this in not really an issue about forging signatures, rather 
invalid verification,
I've appended 2 self-signed certs (resigned apps/server.pem), one with a 
valid signature,
and one with a signature block with an extra byte appended after the 
ASN.1 (but before signing).
For openssl 0.9.8a
eay at huboo ~/work>openssl verify -CAfile cert-ok.pem cert-ok.pem
cert-ok.pem: OK
eay at huboo ~/work>openssl verify -CAfile cert-bad.pem cert-bad.pem
cert-bad.pem: OK

For openssl 0.9.8c
eay at huboo ~/work>openssl-0.9.8c/apps/openssl verify -CAfile cert-ok.pem 
cert-ok.pem
cert-ok.pem: OK
eay at huboo ~/work>openssl-0.9.8c/apps/openssl verify -CAfile cert-bad.pem 
cert-bad.pem
cert-bad.pem: /C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Server test 
cert (512 bit)
error 7 at 0 depth lookup:certificate signature failure
28900:error:04077068:rsa routines:RSA_verify:bad signature:rsa_sign.c:192:
28900:error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP 
lib:a_verify.c:168:

so this appears to trigger the relevant condition.
For my own recent pkcs#1 implementations, they do not ASN.1 decode the 
signature block, rather then generate a signature block and do a memcmp 
with the output from the RSA decrypt.  I did this since it is easy to 
generate small amounts of ASN.1 relative to parsing and checking all the 
boundary cases.  In this case this 'simpler' approach seems to have paid 
off :-).

eric

eay at huboo ~/work>cat cert-ok.pem
-----BEGIN CERTIFICATE-----
MIIBsDCCAVoCAQYwDQYJKoZIhvcNAQEFBQAwYzELMAkGA1UEBhMCQVUxEzARBgNV
BAgTClF1ZWVuc2xhbmQxGjAYBgNVBAoTEUNyeXB0U29mdCBQdHkgTHRkMSMwIQYD
VQQDExpTZXJ2ZXIgdGVzdCBjZXJ0ICg1MTIgYml0KTAeFw0wNjA5MTEyMzU5MDJa
Fw0wNjEwMTEyMzU5MDJaMGMxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpRdWVlbnNs
YW5kMRowGAYDVQQKExFDcnlwdFNvZnQgUHR5IEx0ZDEjMCEGA1UEAxMaU2VydmVy
IHRlc3QgY2VydCAoNTEyIGJpdCkwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAn7PD
hCeV/xIxUg8V70YRxK2A5jZbD92A12GN4PxyRQk0/lVmRUNMaJdq/qigpd9feP/u
12S4PwTLb/8q/v657QIDAQABMA0GCSqGSIb3DQEBBQUAA0EAc+fnj0rB2CYautG2
4itiMOU4SN6JFTFDCTU/Gb5aR/Fiu7HJkuE5yGEnTdnwcId/T9sTW251yzCc1e2z
rHX/kw==
-----END CERTIFICATE-----
eay at huboo ~/work>cat cert-bad.pem
-----BEGIN CERTIFICATE-----
MIIBsDCCAVoCAQYwDQYJKoZIhvcNAQEFBQAwYzELMAkGA1UEBhMCQVUxEzARBgNV
BAgTClF1ZWVuc2xhbmQxGjAYBgNVBAoTEUNyeXB0U29mdCBQdHkgTHRkMSMwIQYD
VQQDExpTZXJ2ZXIgdGVzdCBjZXJ0ICg1MTIgYml0KTAeFw0wNjA5MTEyMzU4NTVa
Fw0wNjEwMTEyMzU4NTVaMGMxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpRdWVlbnNs
YW5kMRowGAYDVQQKExFDcnlwdFNvZnQgUHR5IEx0ZDEjMCEGA1UEAxMaU2VydmVy
IHRlc3QgY2VydCAoNTEyIGJpdCkwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAn7PD
hCeV/xIxUg8V70YRxK2A5jZbD92A12GN4PxyRQk0/lVmRUNMaJdq/qigpd9feP/u
12S4PwTLb/8q/v657QIDAQABMA0GCSqGSIb3DQEBBQUAA0EAbynCRIlUQgaqyNgU
DF6P14yRKUtX8akOP2TwStaSiVf/akYqfLFm3UGka5XbPj4rifrZ0/sOoZEEBvHQ
e20sRA==
-----END CERTIFICATE-----

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com