Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Verify fails with odd keys "rsasign: hSig has wrong length" #112

Closed
alevesely opened this issue Apr 25, 2018 · 2 comments
Closed

Verify fails with odd keys "rsasign: hSig has wrong length" #112

alevesely opened this issue Apr 25, 2018 · 2 comments
Assignees
@lieser
Labels
bug
Milestone
2.0.1

Comments

@alevesely
Copy link

The relevant code is in modules/rsasign-1.2.js:282

    if (hSig.length != this.n.bitLength() / 4) {
        DKIMVerifier.log.debug("rsasign: hSig has wrong length");
        return 0;
        // throw new Error("rsasign Error: hSig has wrong length");
    }

That test is probably useless (it is not there in newer versions) and is wrong for odd keys, because bitLength() returns the exact length in bits, not the bytes. If the key, and hence the signature, happen to have the four most significant bits zero, hSig.length is the full byte length, while bitLength() / 2 would be an odd number.
An example key (gamma._domainkey.tana.it) is this:

MIGuMA0GCSqGSIb3DQEBAQUAA4GcADCBmAKBkAtziQN+Y0LCjJBbGdAu2R6hgiJ4V
mPi9rQHZtNbVq5G6lwSU2L/eMjuMeiQNa47h8vRiZPRuOkeh4fLjBpBQSGgFnIOhn
tMrBkheNcUiDNHhGKG6E6m54UK0qO34NZ6yRAwv72oJ3UNDPj+Pg7HVaV6DehV0lg
lGlXclZoRu17WooC44YVaMbLwMN0lLozQIDAQAB

00000000  30 81 ae  SEQUENCE 1byte length's length = 0xae = 174 bytes length
                   30 0d  SEQUENCE 13 bytes length
                         06 09 OBJECT 9 bytes
                               2a  86 48 86 f7 0d 01 01 01  |0..0...*.H......|
00000010  05 00 NULL
                03 81 9c  BIT STRING 1byte length's length = 0x9c = 156 bytes
                         00 number of unused bits in the final octet of bitstring
                            30 81  98 SEQUENCE 1byte length's length = 0x98 = 152
                                      02 81 90 INTEGER 1byte length's length =
                                            = 0x90 = 144 bytes length (1148 bits)

                                               0b 73 89 03  |......0......s..|
00000020  7e 63 42 c2 8c 90 5b 19  d0 2e d9 1e a1 82 22 78  |~cB...[......."x|
...

That modulus is not 144*8=1152, but 1148 bits. DER breakdown can be checked here.
@lieser
Copy link
Owner

lieser commented Apr 25, 2018

Thanks a lot for the very detailed bug report. I updated rsasign-1.2.js (and asn1hex.js) to the newest version (8.0.12).

As I don't have an e-mail signed with such a key, could you please test it? Thanks.
dkim_verifier@pl.zip

@lieser lieser self-assigned this Apr 25, 2018
@lieser lieser added the bug label Apr 25, 2018
@lieser lieser added this to the 2.0.1 milestone Apr 25, 2018
@alevesely
Copy link
Author

I have installed 2.0.1pre1 (on TB 52.7.0 (64-bit)) and it now says "Valid"!

Thank you for a quick fix

@lieser lieser closed this as completed Apr 30, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@lieser lieser

Labels
bug
Projects
None yet
Milestone
2.0.1
Development

No branches or pull requests
2 participants
@alevesely @lieser