Closed randombit closed 1 year ago
A related issue is that signatures are decoded as big integers but it is never checked that the length of the signature is equal to the public modulus length.
I think this only applies to RSASSA-PKCS#1v1.5. It seems like the PSS implementation has always had checks for the signature length:
Anyway, will get them added to PKCS#1v1.5 too.
I believe #306 should address these concerns
raw_encryption_primitive
is used for verifying signatures. It does not check that the decoded integer value is less than the modulus, thus ifs
is a valid signature it will also accepts+k*n
wheren
is the public modulus andk
is any positive integer.This introduces signature malleability, which is probably not an enormous problem in most applications, but neither does it seem desirable.
A related issue is that signatures are decoded as big integers but it is never checked that the length of the signature is equal to the public modulus length. So if
sig
is the binary encoding of a valid signature, prefixing that signature with any number of zero bytes will also be accepted as valid.This may affect ciphertext decryption as well, but I haven't checked this.
The following patch to the tests demonstrates the issues