add option to do PKCS#1 v1.5 EMSA without ASN.1 around hash
Somehow someone forgot to add the OID in the signature field of a SERVER_KEY_EXCHANGE message in early versions of the SSL protocol. Therefore provide an option to be able to sign/verify a message in that format.
This commit is contained in:
parent
25878ed632
commit
aa4bae5ae9
@ -13,7 +13,8 @@ enum ltc_pkcs_1_paddings
|
||||
{
|
||||
LTC_PKCS_1_V1_5 = 1, /* PKCS #1 v1.5 padding (\sa ltc_pkcs_1_v1_5_blocks) */
|
||||
LTC_PKCS_1_OAEP = 2, /* PKCS #1 v2.0 encryption padding */
|
||||
LTC_PKCS_1_PSS = 3 /* PKCS #1 v2.1 signature padding */
|
||||
LTC_PKCS_1_PSS = 3, /* PKCS #1 v2.1 signature padding */
|
||||
LTC_PKCS_1_V1_5_NA1 = 4 /* PKCS #1 v1.5 padding - No ASN.1 (\sa ltc_pkcs_1_v1_5_blocks) */
|
||||
};
|
||||
|
||||
int pkcs_1_mgf1( int hash_idx,
|
||||
|
@ -23,7 +23,7 @@
|
||||
@param inlen The length of the hash to sign (octets)
|
||||
@param out [out] The signature
|
||||
@param outlen [in/out] The max size and resulting size of the signature
|
||||
@param padding Type of padding (LTC_PKCS_1_PSS or LTC_PKCS_1_V1_5)
|
||||
@param padding Type of padding (LTC_PKCS_1_PSS, LTC_PKCS_1_V1_5 or LTC_PKCS_1_V1_5_NA1)
|
||||
@param prng An active PRNG state
|
||||
@param prng_idx The index of the PRNG desired
|
||||
@param hash_idx The index of the hash desired
|
||||
@ -47,15 +47,21 @@ int rsa_sign_hash_ex(const unsigned char *in, unsigned long inlen,
|
||||
LTC_ARGCHK(key != NULL);
|
||||
|
||||
/* valid padding? */
|
||||
if ((padding != LTC_PKCS_1_V1_5) && (padding != LTC_PKCS_1_PSS)) {
|
||||
if ((padding != LTC_PKCS_1_V1_5) &&
|
||||
(padding != LTC_PKCS_1_PSS) &&
|
||||
(padding != LTC_PKCS_1_V1_5_NA1)) {
|
||||
return CRYPT_PK_INVALID_PADDING;
|
||||
}
|
||||
|
||||
if (padding == LTC_PKCS_1_PSS) {
|
||||
/* valid prng and hash ? */
|
||||
/* valid prng ? */
|
||||
if ((err = prng_is_valid(prng_idx)) != CRYPT_OK) {
|
||||
return err;
|
||||
}
|
||||
}
|
||||
|
||||
if (padding != LTC_PKCS_1_V1_5_NA1) {
|
||||
/* valid hash ? */
|
||||
if ((err = hash_is_valid(hash_idx)) != CRYPT_OK) {
|
||||
return err;
|
||||
}
|
||||
@ -81,46 +87,54 @@ int rsa_sign_hash_ex(const unsigned char *in, unsigned long inlen,
|
||||
} else {
|
||||
/* PKCS #1 v1.5 pad the hash */
|
||||
unsigned char *tmpin;
|
||||
ltc_asn1_list digestinfo[2], siginfo[2];
|
||||
|
||||
/* not all hashes have OIDs... so sad */
|
||||
if (hash_descriptor[hash_idx].OIDlen == 0) {
|
||||
return CRYPT_INVALID_ARG;
|
||||
}
|
||||
if (padding == LTC_PKCS_1_V1_5) {
|
||||
ltc_asn1_list digestinfo[2], siginfo[2];
|
||||
/* not all hashes have OIDs... so sad */
|
||||
if (hash_descriptor[hash_idx].OIDlen == 0) {
|
||||
return CRYPT_INVALID_ARG;
|
||||
}
|
||||
|
||||
/* construct the SEQUENCE
|
||||
SEQUENCE {
|
||||
SEQUENCE {hashoid OID
|
||||
blah NULL
|
||||
}
|
||||
SEQUENCE {
|
||||
SEQUENCE {hashoid OID
|
||||
blah NULL
|
||||
}
|
||||
hash OCTET STRING
|
||||
}
|
||||
*/
|
||||
LTC_SET_ASN1(digestinfo, 0, LTC_ASN1_OBJECT_IDENTIFIER, hash_descriptor[hash_idx].OID, hash_descriptor[hash_idx].OIDlen);
|
||||
LTC_SET_ASN1(digestinfo, 1, LTC_ASN1_NULL, NULL, 0);
|
||||
LTC_SET_ASN1(siginfo, 0, LTC_ASN1_SEQUENCE, digestinfo, 2);
|
||||
LTC_SET_ASN1(siginfo, 1, LTC_ASN1_OCTET_STRING, in, inlen);
|
||||
|
||||
/* allocate memory for the encoding */
|
||||
y = mp_unsigned_bin_size(key->N);
|
||||
tmpin = XMALLOC(y);
|
||||
if (tmpin == NULL) {
|
||||
return CRYPT_MEM;
|
||||
}
|
||||
*/
|
||||
LTC_SET_ASN1(digestinfo, 0, LTC_ASN1_OBJECT_IDENTIFIER, hash_descriptor[hash_idx].OID, hash_descriptor[hash_idx].OIDlen);
|
||||
LTC_SET_ASN1(digestinfo, 1, LTC_ASN1_NULL, NULL, 0);
|
||||
LTC_SET_ASN1(siginfo, 0, LTC_ASN1_SEQUENCE, digestinfo, 2);
|
||||
LTC_SET_ASN1(siginfo, 1, LTC_ASN1_OCTET_STRING, in, inlen);
|
||||
|
||||
/* allocate memory for the encoding */
|
||||
y = mp_unsigned_bin_size(key->N);
|
||||
tmpin = XMALLOC(y);
|
||||
if (tmpin == NULL) {
|
||||
return CRYPT_MEM;
|
||||
}
|
||||
|
||||
if ((err = der_encode_sequence(siginfo, 2, tmpin, &y)) != CRYPT_OK) {
|
||||
XFREE(tmpin);
|
||||
return err;
|
||||
if ((err = der_encode_sequence(siginfo, 2, tmpin, &y)) != CRYPT_OK) {
|
||||
XFREE(tmpin);
|
||||
return err;
|
||||
}
|
||||
} else {
|
||||
/* set the pointer and data-length to the input values */
|
||||
tmpin = (unsigned char *)in;
|
||||
y = inlen;
|
||||
}
|
||||
|
||||
x = *outlen;
|
||||
if ((err = pkcs_1_v1_5_encode(tmpin, y, LTC_PKCS_1_EMSA,
|
||||
modulus_bitlen, NULL, 0,
|
||||
out, &x)) != CRYPT_OK) {
|
||||
err = pkcs_1_v1_5_encode(tmpin, y, LTC_PKCS_1_EMSA, modulus_bitlen, NULL, 0, out, &x);
|
||||
|
||||
if (padding == LTC_PKCS_1_V1_5) {
|
||||
XFREE(tmpin);
|
||||
}
|
||||
|
||||
if (err != CRYPT_OK) {
|
||||
return err;
|
||||
}
|
||||
XFREE(tmpin);
|
||||
}
|
||||
|
||||
/* RSA encode it */
|
||||
|
@ -23,7 +23,7 @@
|
||||
@param siglen The length of the signature data (octets)
|
||||
@param hash The hash of the message that was signed
|
||||
@param hashlen The length of the hash of the message that was signed (octets)
|
||||
@param padding Type of padding (LTC_PKCS_1_PSS or LTC_PKCS_1_V1_5)
|
||||
@param padding Type of padding (LTC_PKCS_1_PSS, LTC_PKCS_1_V1_5 or LTC_PKCS_1_V1_5_NA1)
|
||||
@param hash_idx The index of the desired hash
|
||||
@param saltlen The length of the salt used during signature
|
||||
@param stat [out] The result of the signature comparison, 1==valid, 0==invalid
|
||||
@ -51,11 +51,12 @@ int rsa_verify_hash_ex(const unsigned char *sig, unsigned long siglen,
|
||||
/* valid padding? */
|
||||
|
||||
if ((padding != LTC_PKCS_1_V1_5) &&
|
||||
(padding != LTC_PKCS_1_PSS)) {
|
||||
(padding != LTC_PKCS_1_PSS) &&
|
||||
(padding != LTC_PKCS_1_V1_5_NA1)) {
|
||||
return CRYPT_PK_INVALID_PADDING;
|
||||
}
|
||||
|
||||
if (padding == LTC_PKCS_1_PSS) {
|
||||
if (padding != LTC_PKCS_1_V1_5_NA1) {
|
||||
/* valid hash ? */
|
||||
if ((err = hash_is_valid(hash_idx)) != CRYPT_OK) {
|
||||
return err;
|
||||
@ -103,15 +104,8 @@ int rsa_verify_hash_ex(const unsigned char *sig, unsigned long siglen,
|
||||
} else {
|
||||
/* PKCS #1 v1.5 decode it */
|
||||
unsigned char *out;
|
||||
unsigned long outlen, loid[16], reallen;
|
||||
unsigned long outlen;
|
||||
int decoded;
|
||||
ltc_asn1_list digestinfo[2], siginfo[2];
|
||||
|
||||
/* not all hashes have OIDs... so sad */
|
||||
if (hash_descriptor[hash_idx].OIDlen == 0) {
|
||||
err = CRYPT_INVALID_ARG;
|
||||
goto bail_2;
|
||||
}
|
||||
|
||||
/* allocate temp buffer for decoded hash */
|
||||
outlen = ((modulus_bitlen >> 3) + (modulus_bitlen & 7 ? 1 : 0)) - 3;
|
||||
@ -126,37 +120,54 @@ int rsa_verify_hash_ex(const unsigned char *sig, unsigned long siglen,
|
||||
goto bail_2;
|
||||
}
|
||||
|
||||
/* now we must decode out[0...outlen-1] using ASN.1, test the OID and then test the hash */
|
||||
/* construct the SEQUENCE
|
||||
SEQUENCE {
|
||||
SEQUENCE {hashoid OID
|
||||
blah NULL
|
||||
}
|
||||
hash OCTET STRING
|
||||
if (padding == LTC_PKCS_1_V1_5) {
|
||||
unsigned long loid[16], reallen;
|
||||
ltc_asn1_list digestinfo[2], siginfo[2];
|
||||
|
||||
/* not all hashes have OIDs... so sad */
|
||||
if (hash_descriptor[hash_idx].OIDlen == 0) {
|
||||
err = CRYPT_INVALID_ARG;
|
||||
goto bail_2;
|
||||
}
|
||||
*/
|
||||
LTC_SET_ASN1(digestinfo, 0, LTC_ASN1_OBJECT_IDENTIFIER, loid, sizeof(loid)/sizeof(loid[0]));
|
||||
LTC_SET_ASN1(digestinfo, 1, LTC_ASN1_NULL, NULL, 0);
|
||||
LTC_SET_ASN1(siginfo, 0, LTC_ASN1_SEQUENCE, digestinfo, 2);
|
||||
LTC_SET_ASN1(siginfo, 1, LTC_ASN1_OCTET_STRING, tmpbuf, siglen);
|
||||
|
||||
if ((err = der_decode_sequence(out, outlen, siginfo, 2)) != CRYPT_OK) {
|
||||
XFREE(out);
|
||||
goto bail_2;
|
||||
}
|
||||
/* now we must decode out[0...outlen-1] using ASN.1, test the OID and then test the hash */
|
||||
/* construct the SEQUENCE
|
||||
SEQUENCE {
|
||||
SEQUENCE {hashoid OID
|
||||
blah NULL
|
||||
}
|
||||
hash OCTET STRING
|
||||
}
|
||||
*/
|
||||
LTC_SET_ASN1(digestinfo, 0, LTC_ASN1_OBJECT_IDENTIFIER, loid, sizeof(loid)/sizeof(loid[0]));
|
||||
LTC_SET_ASN1(digestinfo, 1, LTC_ASN1_NULL, NULL, 0);
|
||||
LTC_SET_ASN1(siginfo, 0, LTC_ASN1_SEQUENCE, digestinfo, 2);
|
||||
LTC_SET_ASN1(siginfo, 1, LTC_ASN1_OCTET_STRING, tmpbuf, siglen);
|
||||
|
||||
if ((err = der_length_sequence(siginfo, 2, &reallen)) != CRYPT_OK) {
|
||||
XFREE(out);
|
||||
goto bail_2;
|
||||
}
|
||||
if ((err = der_decode_sequence(out, outlen, siginfo, 2)) != CRYPT_OK) {
|
||||
XFREE(out);
|
||||
goto bail_2;
|
||||
}
|
||||
|
||||
/* test OID */
|
||||
if ((reallen == outlen) &&
|
||||
(digestinfo[0].size == hash_descriptor[hash_idx].OIDlen) &&
|
||||
if ((err = der_length_sequence(siginfo, 2, &reallen)) != CRYPT_OK) {
|
||||
XFREE(out);
|
||||
goto bail_2;
|
||||
}
|
||||
|
||||
/* test OID */
|
||||
if ((reallen == outlen) &&
|
||||
(digestinfo[0].size == hash_descriptor[hash_idx].OIDlen) &&
|
||||
(XMEM_NEQ(digestinfo[0].data, hash_descriptor[hash_idx].OID, sizeof(unsigned long) * hash_descriptor[hash_idx].OIDlen) == 0) &&
|
||||
(siginfo[1].size == hashlen) &&
|
||||
(siginfo[1].size == hashlen) &&
|
||||
(XMEM_NEQ(siginfo[1].data, hash, hashlen) == 0)) {
|
||||
*stat = 1;
|
||||
*stat = 1;
|
||||
}
|
||||
} else {
|
||||
/* only check if the hash is equal */
|
||||
if ((hashlen == outlen) &&
|
||||
(XMEMCMP(out, hash, hashlen) == 0)) {
|
||||
*stat = 1;
|
||||
}
|
||||
}
|
||||
|
||||
#ifdef LTC_CLEAN_STACK
|
||||
|
Loading…
Reference in New Issue
Block a user