SHA256withRSA signing/padding question/issue

[bjvetter]

I have an application that is using your PIV application interface. We are creating CMS messages using a ContentSigner wrapper around the PIV app that results in a signed and/or encrypted CMS message.

Everything is good if I use ec keys, but if I use RSA keys, the resulting signature does not verify. I have code that calls pivapplication.sign() followed immediately by Android's java Signature/verify code. The signature.verify(signatureFromYubi) always fails for RSA (SHA256withRSA). (as an aside, we can ship that CMS to a server and it also fails to verify using a BC library in a Java server).

I am speculating that there may be an issue due to padding. Is your padding algorithm not compatible with the Android/Java SHA256withRSA algorithm (the one also returned by the getSigAlgName() method on the cert)? Or maybe you know of some other issue with PIV signing in the library?

[imakhalova]

Hello @bjvetter , thank you for reaching out. That's a great catch. I was able to reproduce it and I found the root cause in implementation of PKCS1.15 padding for RSA (within pivapplication.sign()).

[bjvetter]

Yes, I was looking at that same method. I noticed some differences between that implementation and those in Android and OpenJDK.

[imakhalova]

Addressed with https://github.com/Yubico/yubikit-android/pull/16 Released in version 1.0.0-beta05