Implement RSA verification #4952
Next
Next commit
Implement RSA verification
- Loading branch information
commit b9f144cd27f5f2f5e0a2b952d0ab49404480b7ca
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,134 @@ | ||
| // SPDX-License-Identifier: MIT | ||
| pragma solidity ^0.8.20; | ||
|
|
||
| import {Math} from "../math/Math.sol"; | ||
|
|
||
| /** | ||
| * TODO: | ||
| * - Further optimize ? | ||
| * - Re-write documentation | ||
| * - Update (refactor/add) tests | ||
| * | ||
| * Inspired by Adrià Massanet's work: https://github.com/adria0/SolRsaVerify | ||
| * | ||
| * This program is free software: you can redistribute it and/or modify | ||
| * it under the terms of the GNU General Public License as published by | ||
| * the Free Software Foundation, either version 3 of the License, or | ||
| * at your option) any later version. | ||
| * | ||
| * This program is distributed in the hope that it will be useful, | ||
| * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
| * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
| * GNU General Public License for more details. | ||
| * | ||
| * You should have received a copy of the GNU General Public License | ||
| * along with this program. If not, see <http://www.gnu.org/licenses/>. | ||
| * | ||
| * Checked results with FIPS test vectors | ||
| * https://csrc.nist.gov/CSRC/media/Projects/Cryptographic-Algorithm-Validation-Program/documents/dss/186-2rsatestvectors.zip | ||
| * file SigVer15_186-3.rsp | ||
| */ | ||
| library RSA { | ||
| /** | ||
| * @dev Verifies a PKCSv1.5 SHA256 signature | ||
| * @param data to verify | ||
| * @param sig is the signature | ||
| * @param exp is the exponent | ||
| * @param mod is the modulus | ||
| */ | ||
| function pkcs1Sha256( | ||
| bytes memory data, | ||
| bytes memory sig, | ||
| bytes memory exp, | ||
| bytes memory mod | ||
| ) public view returns (bool) { | ||
| return pkcs1Sha256(sha256(data), sig, exp, mod); | ||
| } | ||
|
|
||
| /** | ||
| * @dev Verifies a PKCSv1.5 SHA256 signature | ||
| * @param digest is the sha256 of the data | ||
| * @param sig is the signature | ||
| * @param exp is the exponent | ||
| * @param mod is the modulus | ||
| */ | ||
| function pkcs1Sha256( | ||
| bytes32 digest, | ||
| bytes memory sig, | ||
| bytes memory exp, | ||
| bytes memory mod | ||
| ) public view returns (bool) { | ||
| unchecked { | ||
| // cache and check length | ||
| uint256 length = mod.length; | ||
| if (length < 0x40 || length != sig.length) { | ||
ernestognw marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||
| return false; | ||
| } | ||
|
|
||
| (bool success, bytes memory buffer) = Math.tryModExp(sig, exp, mod); | ||
| if (!success) { | ||
| return false; | ||
| } | ||
|
|
||
| // Check that buffer is well encoded: | ||
| // buffer ::= 0x00 | 0x01 | PS | 0x00 | DigestInfo | ||
| // | ||
| // With | ||
| // - PS is padding filled with 0xFF | ||
| // - DigestInfo ::= SEQUENCE { | ||
| // digestAlgorithm AlgorithmIdentifier, | ||
| // [optional algorithm parameters] | ||
ernestognw marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| // digest OCTET STRING | ||
| // } | ||
|
|
||
| // Get AlgorithmIdentifier from the DigestInfo, and set the parameters accordingly | ||
| bytes32 digestAlgoParam; | ||
| bytes32 digestAlgoParamMask; | ||
| uint256 digestAlgoOffset; | ||
| if (_unsafeReadBytes1(buffer, length - 50) == 0x31) { | ||
| // case: sha256Explicit | ||
| digestAlgoOffset = 0x36; | ||
| digestAlgoParam = 0x003031300d060960864801650304020105000000000000000000000000000000; | ||
| digestAlgoParamMask = 0xffffffffffffffffffffffffffffffffffff0000000000000000000000000000; | ||
| } else if (_unsafeReadBytes1(buffer, length - 48) == 0x2F) { | ||
| // case: sha256Implicit | ||
| digestAlgoOffset = 0x34; | ||
| digestAlgoParam = 0x00302f300b060960864801650304020100000000000000000000000000000000; | ||
| digestAlgoParamMask = 0xffffffffffffffffffffffffffffffff00000000000000000000000000000000; | ||
| } else { | ||
| // unknown | ||
| return false; | ||
| } | ||
|
|
||
| // length is at least 0x40 and digestAlgoOffset is at most 0x34, so this is safe | ||
| uint256 paddingLength = length - digestAlgoOffset; | ||
|
|
||
| // the padding has variable (arbitrary) length, so we check it byte per byte in a loop. | ||
| for (uint256 i = 2; i < paddingLength + 2; ++i) { | ||
| if (_unsafeReadBytes1(buffer, i) != 0xFF) { | ||
| return false; | ||
| } | ||
| } | ||
| // All the other parameters are small enough to fit in a bytes32, so we can check them directly. | ||
| return | ||
| bytes2(0x0001) == _unsafeReadBytes2(buffer, 0x00) && | ||
| digestAlgoParam == _unsafeReadBytes32(buffer, paddingLength + 0x02) & digestAlgoParamMask && | ||
| bytes2(0x0420) == _unsafeReadBytes2(buffer, length - 0x22) && | ||
| digest == _unsafeReadBytes32(buffer, length - 0x20); | ||
| } | ||
| } | ||
|
|
||
| function _unsafeReadBytes32(bytes memory array, uint256 offset) private pure returns (bytes32 result) { | ||
| assembly { | ||
| result := mload(add(add(array, 0x20), offset)) | ||
| } | ||
| } | ||
|
|
||
| function _unsafeReadBytes1(bytes memory array, uint256 offset) private pure returns (bytes1) { | ||
| return bytes1(_unsafeReadBytes32(array, offset)); | ||
| } | ||
|
|
||
| function _unsafeReadBytes2(bytes memory array, uint256 offset) private pure returns (bytes2) { | ||
| return bytes2(_unsafeReadBytes32(array, offset)); | ||
| } | ||
| } | ||
Amxx marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I guess we reject length less than
0x40because it wouldn't be secure. I wonder if0x40was arbitrarily chosen. If so, we need to evaluate it carefully, as far as I remember, RSA's security isp * qso a 512 bits signature is crackable in reasonable time.Found this as a reference, but seems like 512 bits (0x40 bytes) signatures are pretty much broken.
https://github.com/tomrittervg/cloud-and-control/blob/master/gnfs-info/factoring-howto.txt
RFC 3447 is from 2003 and was superseded by RFC 8017, though, I couldn't find a recommendation for the mod length. Allegedly, 512 bits security was first broken in 1999, so my estimations say that we might increase this to
0x80at least.Needs discussion