On 11/24/06, Ron Teitelbaum Ron@usmedrec.com wrote:
We still need to review our validation of e=3 signatures. Did you have a look at that? Is there any way that reading ASN.1 would stop and leave more data past the hash without throwing an error?
I think I'm missing something here. PKCS#1 signatures require digesting, encoding, encrypting, and then conversion to bit-string. The encoding step takes the hash and wraps it in the following ASN.1:
DigestInfo ::= SEQUENCE { digestAlgorithm DigestAlgorithmIdentifier, digest Digest }
DigestAlgorithmIdentifier ::= AlgorithmIdentifier
Digest ::= OCTET STRING
I'm looking at RSAKey>>v15SignMessageHash: and RSAKey>>v15VerifySignature:ofMessageHash and the encoding step is being skipped.
Or am I misusing RSAKey? Or do I have an old version? (I'm still figuring out this whole Squeak packaging mess.)
In re: the question, it looks to me like validation is not currently vulnerable to the attack because RSAKey>>v15VerifySignature:ofMessageHash: isn't doing any ASN.1 decoding to attack! :)
-- Tim