BUGS: RSA PKCS#1 signature formatter and deformatter use wrong padding...

From: Pieter Philippaerts (Pieter_at_nospam.mentalis.org)
Date: 02/24/04

  • Next message: BitmapWriter: "Create a file on the server from an aspx" 
    Date: Tue, 24 Feb 2004 17:59:32 +0100

    Hi there,

    if you use the RSAPKCS1KeyExchangeFormatter and
    RSAPKCS1KeyExchangeDeformatter classes with an RSA key other than an
    RSACryptoServiceProvider, the formatters use a wrong padding.

    The code from the CreateSignature and VerifySignature methods differentiates
    between the RSACryptoServiceProvider and other decendants of the RSA class.
    If the RSA instance is an RSACryptoServiceProvider, the formatter will
    delegate the padding to the Windows CryptoAPI. In this case, everything
    works fine.
    However if the key is not an RSACryptoServiceProvider [for example, an
    instance of the RSAManaged class from the mono:: project], the formatter
    will do the padding itself and then call the DecryptValue method of the key.
    Unfortunately, the padding that the RSAPKCS1SignatureFormatter and
    RSAPKCS1SignatureDeformatter classes generate is wrong, and this results in
    invalid signatures.

    To test all this, I used the RSAPKCS1SignatureFormatter class to sign a hash
    value [an array of 20 bytes consisting of the values 0x00 to 0x13] with an
    RSACryptoServiceProvider and an RSAManaged instance.

    Here's how the [correct] padding looks like [as generated by the
    RSACryptoServiceProvider]:
    01FF.....FF003021300906052B0E03021A05000414
    000102030405060708090A0B0C0D0E0F10111213

    Here's how the RSAPKCS1SignatureFormatter pads the data [when using an
    RSAManaged]:
    01FF.....FF003021300906052B0E03021A05000414
    000102030405060708090A0B0C0D0E0F10111213
    000102030405060708090A0B0C0D0E0F10111213

    Notice that the value of the hash is included twice in the padded data --
    this should not happen.

    The RSAPKCS1SignatureDeformatter class has the same padding problem.

    The RSAPKCS1SignatureDeformatter also has a second bug in the
    VerifySignature method. At the end of the method, it does something like
    this:
       encSig = Key.EncryptValue(rgbSignature);
       bool signatureCorrect = encSig.Equals(paddedData);
    The signatureCorrect variable will always be false, because the Equals
    method does not compare the contents of the two byte arrays, but rather
    checks for reference equality.

    Regards,
    Pieter Philippaerts

    P.S.: is there an official MS email address we can use to send bug reports
    to? I searched MSDN, but I couldn't find such an address.

  • Next message: BitmapWriter: "Create a file on the server from an aspx"