ietf-smime
[Top] [All Lists]

Re: AlgorithmIdentifier, SHA-1, etc.

2007-04-07 05:04:20

Russ Housley wrote:

Note that the DigestInfoValue is part of the structure that is
"encrypted" with the RSA private key when generating a signature.  It is
recovered by "decrypting" the signature value with the RSA public key.


Note that care should be taken when handling the DigestInfo structure
recovered from an RSA signature.

As well as the original Bleichenbacher signature forgery attack (caused
by ignoring trailing garbage after DigestInfo) there is a variant which
inserts garbage in the middle of the recovered structure. Allowing
arbitrary parameter values in the DigestAlgorithmIdentifier (for example
large OCTET STRINGs) is one way to do this. Unlike the original attack
this variant produces a "valid" DigestInfo structure.

As a result in the specific case of the recovered DigestInfo from an RSA
signature OpenSSL now only tolerates a NULL or absent parameter field.
This is OK for all existing digests.

It is more liberal about DigestInfo structures in other contexts.

Steve.