The RSA-PSS implementation does not detect signature modification (prepending "0" bytes) to the signature #438
Description
The jsrsasign 8.0.16 RSASSA-PSS (RSA-PSS) implementation does not detect prepending 0s to the signature and accepts modifies signatures with prepended 0's as valid.
You can verify this using the following test vectors from Google Wycheproof:
{
"algorithm" : "RSASSA-PSS",
"generatorVersion" : "0.8r12",
"numberOfTests" : 103,
"header" : [
"Test vectors of class RsassaPssVerify are intended for checking the",
"verification of RSASSA-PSS signatures."
],
"notes" : {
},
"schema" : "rsassa_pss_verify_schema.json",
"testGroups" : [
{
"e" : "010001",
"keyAsn" : "3082010a0282010100a2b451a07d0aa5f96e455671513550514a8a5b462ebef717094fa1fee82224e637f9746d3f7cafd31878d80325b6ef5a1700f65903b469429e89d6eac8845097b5ab393189db92512ed8a7711a1253facd20f79c15e8247f3d3e42e46e48c98e254a2fe9765313a03eff8f17e1a029397a1fa26a8dce26f490ed81299615d9814c22da610428e09c7d9658594266f5c021d0fceca08d945a12be82de4d1ece6b4c03145b5d3495d4ed5411eb878daf05fd7afc3e09ada0f1126422f590975a1969816f48698bcbba1b4d9cae79d460d8f9f85e7975005d9bc22c4e5ac0f7c1a45d12569a62807d3b9a02e5a530e773066f453d1f5b4c2e9cf7820283f742b9d50203010001",
"keyDer" : "30820122300d06092a864886f70d01010105000382010f003082010a0282010100a2b451a07d0aa5f96e455671513550514a8a5b462ebef717094fa1fee82224e637f9746d3f7cafd31878d80325b6ef5a1700f65903b469429e89d6eac8845097b5ab393189db92512ed8a7711a1253facd20f79c15e8247f3d3e42e46e48c98e254a2fe9765313a03eff8f17e1a029397a1fa26a8dce26f490ed81299615d9814c22da610428e09c7d9658594266f5c021d0fceca08d945a12be82de4d1ece6b4c03145b5d3495d4ed5411eb878daf05fd7afc3e09ada0f1126422f590975a1969816f48698bcbba1b4d9cae79d460d8f9f85e7975005d9bc22c4e5ac0f7c1a45d12569a62807d3b9a02e5a530e773066f453d1f5b4c2e9cf7820283f742b9d50203010001",
"keyPem" : "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAorRRoH0KpfluRVZxUTVQ\nUUqKW0YuvvcXCU+h/ugiJOY3+XRtP3yv0xh42AMltu9aFwD2WQO0aUKeidbqyIRQ\nl7WrOTGJ25JRLtincRoSU/rNIPecFegkfz0+QuRuSMmOJUov6XZTE6A+/48X4aAp\nOXofomqNzib0kO2BKZYV2YFMItphBCjgnH2WWFlCZvXAIdD87KCNlFoSvoLeTR7O\na0wDFFtdNJXU7VQR64eNrwX9evw+Ca2g8RJkIvWQl1oZaYFvSGmLy7obTZyuedRg\n2Pn4Xnl1AF2bwixOWsD3waRdElaaYoB9O5oC5aUw53MGb0U9H1tMLpz3ggKD90K5\n1QIDAQAB\n-----END PUBLIC KEY-----",
"keysize" : 2048,
"mgf" : "MGF1",
"mgfSha" : "SHA-256",
"n" : "00a2b451a07d0aa5f96e455671513550514a8a5b462ebef717094fa1fee82224e637f9746d3f7cafd31878d80325b6ef5a1700f65903b469429e89d6eac8845097b5ab393189db92512ed8a7711a1253facd20f79c15e8247f3d3e42e46e48c98e254a2fe9765313a03eff8f17e1a029397a1fa26a8dce26f490ed81299615d9814c22da610428e09c7d9658594266f5c021d0fceca08d945a12be82de4d1ece6b4c03145b5d3495d4ed5411eb878daf05fd7afc3e09ada0f1126422f590975a1969816f48698bcbba1b4d9cae79d460d8f9f85e7975005d9bc22c4e5ac0f7c1a45d12569a62807d3b9a02e5a530e773066f453d1f5b4c2e9cf7820283f742b9d5",
"sLen" : 32,
"sha" : "SHA-256",
"type" : "RsassaPssVerify",
"tests" : [
{
"tcId" : 99,
"comment" : "prepending 0's to signature",
"msg" : "313233343030",
"sig" : "000068caf07e71ee654ffabf07d342fc4059deb4f7e5970746c423b1e8f668d5332275cc35eb61270aebd27855b1e80d59def47fe8882867fd33c2308c91976baa0b1df952caa78db4828ab81e79949bf145cbdfd1c4987ed036f81e8442081016f20fa4b587574884ca6f6045959ce3501ae7c02b1902ec1d241ef28dee356c0d30d28a950f1fbc683ee7d9aad26b048c13426fe3975d5638afeb5b9c1a99d162d3a5810e8b074d7a2eae2be52b577151f76e1f734b0a956ef4f22be64dc20a81ad1316e4f79dff5fc41fc08a20bc612283a88415d41595bfea66d59de7ac12e230f72244ad9905aef0ead3fa41ed70bf4218863d5f041292f2d14ce0a7271c6d36",
"result" : "invalid",
"flags" : []
},
{
"tcId" : 100,
"comment" : "correct signature",
"msg" : "313233343030",
"sig" : "68caf07e71ee654ffabf07d342fc4059deb4f7e5970746c423b1e8f668d5332275cc35eb61270aebd27855b1e80d59def47fe8882867fd33c2308c91976baa0b1df952caa78db4828ab81e79949bf145cbdfd1c4987ed036f81e8442081016f20fa4b587574884ca6f6045959ce3501ae7c02b1902ec1d241ef28dee356c0d30d28a950f1fbc683ee7d9aad26b048c13426fe3975d5638afeb5b9c1a99d162d3a5810e8b074d7a2eae2be52b577151f76e1f734b0a956ef4f22be64dc20a81ad1316e4f79dff5fc41fc08a20bc612283a88415d41595bfea66d59de7ac12e230f72244ad9905aef0ead3fa41ed70bf4218863d5f041292f2d14ce0a7271c6d36",
"result" : "valid",
"flags" : []
},
{
"tcId" : 101,
"comment" : "appending 0's to signature",
"msg" : "313233343030",
"sig" : "68caf07e71ee654ffabf07d342fc4059deb4f7e5970746c423b1e8f668d5332275cc35eb61270aebd27855b1e80d59def47fe8882867fd33c2308c91976baa0b1df952caa78db4828ab81e79949bf145cbdfd1c4987ed036f81e8442081016f20fa4b587574884ca6f6045959ce3501ae7c02b1902ec1d241ef28dee356c0d30d28a950f1fbc683ee7d9aad26b048c13426fe3975d5638afeb5b9c1a99d162d3a5810e8b074d7a2eae2be52b577151f76e1f734b0a956ef4f22be64dc20a81ad1316e4f79dff5fc41fc08a20bc612283a88415d41595bfea66d59de7ac12e230f72244ad9905aef0ead3fa41ed70bf4218863d5f041292f2d14ce0a7271c6d360000",
"result" : "invalid",
"flags" : []
}
]
}
]
}
in the following proof of concept:
var rs = require('jsrsasign');
var obj = require("./rsa_pss.json");
for (let testGroup of obj.testGroups) {
var keyPem = testGroup.keyPem;
for(let test of testGroup.tests) {
console.log("[*] Test " + test.tcId + " result: " + test.result)
try {
var sig = new rs.Signature({alg: 'SHA256withRSAandMGF1'});
sig.init(keyPem);
sig.updateHex(test.msg);
var result = sig.verify(test.sig);
if (result == true) {
if (test.result == "valid" || test.result == "acceptable")
console.log("Result: PASS");
else
console.log("Result: FAIL")
}
if (result == false) {
if (test.result == "valid" || test.result == "acceptable")
console.log("Result: FAIL");
else
console.log("Result: PASS")
}
} catch (e) {
console.log("ERROR - VERIFY: " + e)
if (test.result == "valid" || test.result == "acceptable")
console.log("Result: FAIL");
else
console.log("Result: PASS")
}
}
}
with result:
[*] Test 99 result: invalid
Result: FAIL
[*] Test 100 result: valid
Result: PASS
[*] Test 101 result: invalid
Result: PASS
Best regards,
Antonio