* Daniel Kahn Gillmor:
Hi Florian--
On Sat 2021-06-05 18:03:14 +0200, Florian Weimer wrote:
* Daniel Kahn Gillmor:
The OpenPGP standard is in a bit of a mess when it comes to wire
formats for public key algorithms.
There are not infrequent reports of interoperability problems (most
recently https://dev.gnupg.org/T5464), and difficulties for
implementers in understanding what is expected.
I think this issue also affects RSA data because the way OpenPGP
specifies the operations, they are octet strings of a specific length,
not integers, and may including leading zero bytes.
This is an unsettling message, but I'm not sure I understand what you
mean. Can you provide a specific example?
RFC 3447 section 8.2.2 says this about signature verification:
| 1. Length checking: If the length of the signature S is not k octets,
| output "invalid signature" and stop.
<https://datatracker.ietf.org/doc/html/rfc3447#section-8.2.2>
Due to the way MPI encoding and decoding does no round-trip leading
zeros, some valid OpenPGP signatures (about one in every 256) cannot
be validated by PKCS#1 implementations that perform this length check.
I guess every implementor who tries to layer OpenPGP on top of an
existing PKCS#1 implementation will eventually learn about this, but I
suspect I'm not the only one who was surprised by this.
_______________________________________________
openpgp mailing list
openpgp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/openpgp