Skip to content

[Android] Normalize RSA no-padding output to modulus size to fix VerifyHash #118880

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
simonrozsival merged 1 commit into from
Aug 20, 2025
Merged

[Android] Normalize RSA no-padding output to modulus size to fix VerifyHash #118880

simonrozsival merged 1 commit into from
Aug 20, 2025

Conversation

@simonrozsival
Copy link
Member

@simonrozsival simonrozsival commented Aug 19, 2025

It appears some versions of the Android crypto libraries the "RSA/ECB/NoPadding" returns results as minimal-length big-endian integers (leading 0x00 trimmed), causing RsaVerificationPrimitive to return fewer bytes than the modulus (e.g., 47 vs 48). This breaks RSAAndroid.VerifyHash and tests like PublicKeyTests.TestKey_RSA384_ValidatesSignature fail.

In the failing test, the decryptedBytes contained the following 47 bytes when running on a Samsung device with Android API 35:

0x01 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0xFF 0x00 0x30 0x21 0x30 0x09 0x06 0x05 0x2B 0x0E 0x03 0x02 0x1A 0x05 0x00 0x04 0x14 0xF7 0xFF 0x9E 0x8B 0x7B 0xB2 0xE0 0x9B 0x70 0x93 0x5A 0x5D 0x78 0x5E 0x0C 0xC5 0xD9 0xD0 0xAB 0xF0

The leading 0x00 byte in the signature padding is missing in this case (the expected RSA signature padding is 0x00 0x01 0xFF ... 0xFF 0x00).

Fixes #118366

/cc @bartonjs @vcsjones @vitek-karas @BrzVlad

@simonrozsival
Copy link
Member Author

simonrozsival commented Aug 19, 2025

/azp run runtime-extra-platforms

@dotnet-policy-service
Copy link
Contributor

dotnet-policy-service bot commented Aug 19, 2025

Tagging subscribers to this area: @dotnet/area-system-security, @bartonjs, @vcsjones
See info in area-owners.md if you want to be subscribed.

@azure-pipelines
Copy link

azure-pipelines bot commented Aug 19, 2025

Azure Pipelines successfully started running 1 pipeline(s).

Copilot AI reviewed Aug 19, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR fixes a compatibility issue with Android crypto libraries where RSA verification operations return minimal-length results instead of modulus-sized outputs. The fix ensures that RSA verification results are properly normalized to the expected modulus size by left-padding with zeros when necessary.

Key changes:

  • Added validation to ensure decrypted bytes don't exceed expected length
  • Implemented left-padding with zeros to normalize output to modulus size
  • Updated return value calculation to reflect the normalized length

@simonrozsival simonrozsival mentioned this pull request Aug 19, 2025
Closed
This was referenced Aug 19, 2025
Open
Open
Open
Open
@simonrozsival simonrozsival merged commit 1765399 into main Aug 20, 2025
154 of 156 checks passed
@simonrozsival simonrozsival deleted the dev/srozsival/android-fix-rsa-verify-hash-leftpad branch August 20, 2025 07:54
@simonrozsival
Copy link
Member Author

simonrozsival commented Aug 20, 2025

/backport to release/10.0-rc1

@github-actions
Copy link
Contributor

github-actions bot commented Aug 20, 2025

Started backporting to release/10.0-rc1: https://github.com/dotnet/runtime/actions/runs/17096489581

@github-actions github-actions bot mentioned this pull request Aug 20, 2025
Closed
4 tasks
@vcsjones
Copy link
Member

vcsjones commented Aug 20, 2025

@simonrozsival does this impact Android on net9.0 on newer Android versions? If so it might be worth taking the backport back to 9 and 8.

@simonrozsival
Copy link
Member Author

simonrozsival commented Aug 20, 2025

@vcsjones yes, we should backport this to .NET 9 as well. I don't know if we should backport to .NET 8 as well, since .NET MAUI 8 is already out of support.

@simonrozsival
Copy link
Member Author

simonrozsival commented Aug 20, 2025

/backport to release/9.0-staging

@github-actions
Copy link
Contributor

github-actions bot commented Aug 20, 2025

Started backporting to release/9.0-staging: https://github.com/dotnet/runtime/actions/runs/17099292564

@github-actions github-actions bot mentioned this pull request Aug 20, 2025
Closed
4 tasks
@akoeplinger
Copy link
Member

akoeplinger commented Aug 20, 2025

I don't know if we should backport to .NET 8 as well, since .NET MAUI 8 is already out of support.

Given #118366 happened in CI I'd say we should at least backport disabling the test if we don't backport the fix. Or disable running Android jobs in 8.0 😄

@simonrozsival
Copy link
Member Author

simonrozsival commented Aug 21, 2025

/backport to release/10.0

@github-actions
Copy link
Contributor

github-actions bot commented Aug 21, 2025

Started backporting to release/10.0: https://github.com/dotnet/runtime/actions/runs/17120602273

@github-actions github-actions bot mentioned this pull request Aug 21, 2025
Merged
4 tasks
@github-actions github-actions bot locked and limited conversation to collaborators Sep 20, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

Copilot code review Copilot Copilot left review comments

@bartonjs bartonjs bartonjs approved these changes

@vcsjones vcsjones Awaiting requested review from vcsjones

Assignees

@simonrozsival simonrozsival

Labels

area-System.Security os-android

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Valid RSA-384 signatures are sometimes reported as invalid on Android

5 participants

@simonrozsival @vcsjones @akoeplinger @bartonjs