Project

General

Profile

Bug #1377

Invalid EC signature encoding (when using smartcards)...

Added by Luka Logar over 4 years ago. Updated over 4 years ago.

Status:
Closed
Priority:
Normal
Category:
libstrongswan
Target version:
Start date:
04.04.2016
Due date:
Estimated time:
Affected version:
5.4.0
Resolution:
Fixed

Description

I have noticed occasional

signature validation failed, looking for another key

errors in my logs. After investigating the matter further I have found the following (as I am using smartcard, pkcs11 and openssl modules are used to handle EC signature creation/validation):

On occasion C_Sign() returns r and/or s with a leading 00 byte for example:

r = 00 3D E3 01 D7 D4 BA EA AA 57 6C EB 81 1F 20 37 AF 8B 6A 57 7F E7 F5 B9 F0 3E B2 82 79 24 21 C2 
s = 92 D0 C5 7E 26 04 56 8E DE 34 90 CE 69 C7 12 B6 2C A7 AB 8C 2E 85 0A 2D FB CD 62 62 D9 59 EC B6

strongswan then asn1_wrap() the signature as
30 45 
   02 20 
      00 3D E3 01 D7 D4 BA EA AA 57 6C EB 81 1F 20 37 AF 8B 6A 57 7F E7 F5 B9 F0 3E B2 82 79 24 21 C2 
   02 21 
      00 92 D0 C5 7E 26 04 56 8E DE 34 90 CE 69 C7 12 B6 2C A7 AB 8C 2E 85 0A 2D FB CD 62 62 D9 59 EC B6

keeping the leading 00. ECDSA_verify() however expects the signature to be
30 44 
   02 1F 
      3D E3 01 D7 D4 BA EA AA 57 6C EB 81 1F 20 37 AF 8B 6A 57 7F E7 F5 B9 F0 3E B2 82 79 24 21 C2 
   02 21 
      00 92 D0 C5 7E 26 04 56 8E DE 34 90 CE 69 C7 12 B6 2C A7 AB 8C 2E 85 0A 2D FB CD 62 62 D9 59 EC B6

and the signature validation fails with the above mentioned error.

Kind regards
Luka

Associated revisions

Revision 7316a13b (diff)
Added by Tobias Brunner over 4 years ago

pkcs11: Skip zero-padding of r and s when preparing EC signature

They are zero padded to fill the buffer.

Fixes #1377.

History

#1 Updated by Tobias Brunner over 4 years ago

  • Tracker changed from Issue to Bug
  • Category set to libstrongswan
  • Status changed from New to Feedback
  • Assignee set to Tobias Brunner
  • Target version set to 5.5.0

Thanks for the report. You're absolutely right. The r and s values returned by C_Sign() are just zero-padded to fill the buffer. We need to remove that padding before creating ASN.1 integers. I pushed a fix to the 1377-pkcs11-ec-signatures branch.

#2 Updated by Luka Logar over 4 years ago

I've applied the patches and so far haven't got any "signature validation failed" errors. I think you can safely close this ticket.
Thanks
Luka

#3 Updated by Tobias Brunner over 4 years ago

  • Status changed from Feedback to Closed
  • Resolution set to Fixed

Thanks for testing. I've applied the patches to master.

Also available in: Atom PDF