[openssl-users] gpgsm/cms: int_rsa_verify:wrong signature length

Viktor Dukhovni openssl-users at dukhovni.org
Tue Apr 24 00:47:54 UTC 2018



> On Apr 23, 2018, at 7:44 PM, Salz, Rich via openssl-users <openssl-users at openssl.org> wrote:
> 
> Your key starts with EF...  Since that has the high-bit on, it should be encoded with a leading zero.

Are you sure?  That does not look like a key to me...

More likely to be the signature block.  The broken one
is one byte shorter, and perhaps the issue is that the
RSA encrypted data has a leading byte that happens to
be zero (1 chance in ~<256 depending on high bytes of
modulus), and this got left out. Hence:

 int_rsa_verify:wrong signature length:../crypto/rsa/rsa_sign.c:132:

The code in question is:

   if (siglen != (size_t)RSA_size(rsa)) {
       RSAerr(RSA_F_INT_RSA_VERIFY, RSA_R_WRONG_SIGNATURE_LENGTH);
       return 0;
   }

which clearly shows that signature lengths are expected to be
exactly the same size as the modulus (padded with leading zeros
as needed).

Note that per:

   https://tools.ietf.org/html/rfc8017#section-8.2.1

the signature length MUST be the same as the modulus length.
A 256-byte modulus goes with a 2048-bit key.

-- 
	Viktor.


More information about the openssl-users mailing list