Leniency in parsing block type byte and padding bytes for PKCS#1 v1.5 signature verification #478
Another finding besides the incompatibility issue reported here for PKCS#1 v1.5 signature verification, is the leniency in parsing the prefix of PKCS#1 structure.
Background. The prefix to the top ASN.1 structure of the PKCS1 v1.5 encoded message consists of leading byte (
Problem. However, jsrsasign v10.1.13 is lenient in checking such requirements and some other invalid signatures are mistakenly recognized to be valid. As will be shown below in the snippet taken from the source code, the issue arises because the implementation ignores the initial
More detailed root cause analysis. In line
Implication: (Interoperability issue) As this might not be susceptible to an immediate signature forgery attack because without the ability to hide random bytes, the attack cost seems to be prohibitive. However, this can simply create an interoperability issue.
Reference notation and concrete values
The text was updated successfully, but these errors were encountered: