Add support for RSA sign/verify with raw PKCS #1 data without DigestInfo

pyca / cryptography

cryptography is a package designed to expose cryptographic primitives and recipes to Python developers.

https://cryptography.io

Other

6.67k stars 1.53k forks source link

Add support for RSA sign/verify with raw PKCS #1 data without DigestInfo #10226

Open misterzed88 opened 9 months ago

misterzed88 commented 9 months ago

There are non-standard RSA signature formats where the PKCS #1-padded data is without DigestInfo. A few examples:

Some old Thawte and Verisign timestamp certificates.
Signed MD5/SHA1 hashes in TLS 1.1 or earlier (RFC 4346, section 4.7).
IKE version 1 signatures (RFC 2409, section 5.1).

By making it possible to support these formats the Cryptography library would be even more versatile and useful, broadening its user base.

The RSAPublicKey.recover_data_from_signature already supports these type of non-standard formats. (See issue #5495).

A straightfoward solution would be to extend the RSAPrivateKey.sign and RSAPublicKey.verify APIs to allow None in the in the algorithm parameter. This would also make these APIs symmetrical with RSAPublicKey.recover_data_from_signature, which accepts None for the exact same purpose.

reaperhulk commented 9 months ago

Are there any test vectors we can use to confirm functionality here?

misterzed88 commented 9 months ago

The best I have found for now are NIST test vectors for RSA signatures, part of their Cryptographic Algorithm Validation Program (CAVP). The RSA test vector files are linked from the "Test Vectors" section.

The SigGen15_186-*.txt files contain the private exponent which makes it possible to create signatures in addition to verifying them.

Unfortunately the vector files do not contain data for the intermediary steps. So the test code has perform the low-level message encoding according to section 9.2 in RFC 3447. (It is quite straightforward).

I have also tried to find public test data for RSA-signatures of 36-byte TLS 1.1 MD5+SHA1 hash values, but so far without any luck.

misterzed88 commented 7 months ago

After spending considerable effort, I could not find any nice, public test vectors for the SSL/TLS 1.1 signature case (RSA-signed 36-bytes MD5+SHA1 hashes).

As an alternative, I could create a test vector for this case, by running a TLS handshake trace with OpenSSL, documenting the steps so it can be reproduced by others.

Would you have any use of a test vector created this way? Is there anything else I can help with to advance this feature request?