Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix RSA signature verification issue #679

Merged
merged 1 commit into from
Nov 4, 2024
Merged

Fix RSA signature verification issue #679

merged 1 commit into from
Nov 4, 2024

Conversation

hoihochan
Copy link
Contributor

Both verifyKeySignature() and verifyCertificateVerify() has a bug when handling RSA signature as it looks at the signature algorithm of the certificate to determine whether to verify with RSA PKCSv1.5. This will cause issues if the certificate's issuing CA uses something other than RSA (e.g. ECDSA) to sign the certificate.

Since DTLS v1.2 does not support RSA-PSS [1], we can just use RSA PKCSv1.5 verification directly if the public key of the certificate is RSA.

[1] https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-16

@codecov Codecov
Copy link

codecov bot commented Nov 4, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 50.00000% with 4 lines in your changes missing coverage. Please review.

Project coverage is 78.23%. Comparing base (98a05d6) to head (d2d2fee).
Report is 3 commits behind head on master.

Files with missing lines Patch % Lines
crypto.go 50.00% 2 Missing and 2 partials ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##           master     #679      +/-   ##
==========================================
- Coverage   80.18%   78.23%   -1.95%     
==========================================
  Files         101      101              
  Lines        5374     6567    +1193     
==========================================
+ Hits         4309     5138     +829     
- Misses        695     1058     +363     
- Partials      370      371       +1
Flag Coverage Δ
go 78.26% <50.00%> (-1.95%) ⬇️
wasm 62.92% <25.00%> (-1.56%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@hoihochan
Fix RSA signature verification issue
d2d2fee 
Both verifyKeySignature() and verifyCertificateVerify() has a bug
when handling RSA signature as it looks at the signature algorithm
of the certificate to determine whether to verify with RSA PKCSv1.5.
This will cause issues if the certificate's issuing CA uses something
other than RSA (e.g. ECDSA) to sign the certificate.

Since DTLS v1.2 does not support RSA-PSS [1], we can just use RSA
PKCSv1.5 verification directly if the public key of the certificate
is RSA.

[1] https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml
@hoihochan hoihochan force-pushed the fix-rsa-verification branch from bb0ea7a to d2d2fee Compare November 4, 2024 04:17
@Sean-Der
Copy link
Member

Sean-Der commented Nov 4, 2024

Thank you so much @hoihochan !

How was the library otherwise? Any things I can improve/change?

@Sean-Der Sean-Der merged commit 3f61fd2 into pion:master Nov 4, 2024
14 of 15 checks passed
@hoihochan
Copy link
Contributor Author

Thank you so much @hoihochan !

How was the library otherwise? Any things I can improve/change?

It's been good. We had an old fork of the library with this fix and I wanted to upstream the change so we can use the upstream library.

When I get time I would like to help on #524

@Sean-Der
Copy link
Member

Sean-Der commented Nov 5, 2024

I would love your help!

Reach out if you need anything. Really appreciate any help :)

@hasheddan hasheddan mentioned this pull request Nov 7, 2024
Open
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Sean-Der Sean-Der Sean-Der approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@hoihochan @Sean-Der