Overview
Artifact ID: | acef47a4faca3365db34e529963e5b5f6822a2f465116cb105879b6f0b6921a4 |
---|---|
Ticket: | bbdff172a399a771485ddbe9606ce9e2738a5d8c
::pki::verify always returns false when "algo" argument is provided |
User & Date: | RP. 2020-02-12 11:14:15 |
Changes
- assignee changed to: "nobody"
- closer changed to: "nobody"
- cmimetype changed to: "text/html"
- comment changed to:
As in summary, when <b>algo</b> argument is provided <b>::pki::verify</b> always returns false. As I found out problem is that when <b>default</b> algorithm is used plaintext value is stripped and converted to octetstring, but when explicit algo is provided final comparision is between plain-text and binary.<br> Fix that I've made is to always convert <b>plaintext</b> to octet-string <b>digest</b> (before <b>if</b> clause): <pre style="padding: 10px; border-left: solid 5px gray;"> proc ::pki::verify {signedmessage checkmessage keylist {algo default}} { package require asn if {[catch { set plaintext [::pki::decrypt -binary -unpad -pub -- $signedmessage $keylist] }]} { return false } # RP - always convert plain text to extracted octet-string digest (original $plaintext is not valid for final comparison with binary hash) set digest "" catch { ::asn::asnGetSequence plaintext message ::asn::asnGetSequence message digestInfo ::asn::asnGetOctetString message digest } if {$algo eq "default"} { set algoId "unknown" catch { ::asn::asnGetObjectIdentifier digestInfo algoId set algoId [::pki::_oid_number_to_name $algoId] } } else { set algoId $algo } switch -- $algoId { "md5" - "md5WithRSAEncryption" { set checkdigest [md5::md5 $checkmessage] } "sha1" - "sha1WithRSAEncryption" { set checkdigest [sha1::sha1 -bin $checkmessage] } "sha256" - "sha256WithRSAEncryption" { set checkdigest [sha2::sha256 -bin $checkmessage] } default { return -code error "Unknown hashing algorithm: $algoId" } } return [expr {$checkdigest eq $digest}] } </pre>
- foundin changed to: "0.10"
- is_private changed to: "0"
- login: "RP."
- priority changed to: "5 Medium"
- private_contact changed to: "50d9392564d29f4876848cc135e7ea56eed25957"
- resolution changed to: "None"
- severity changed to: "Important"
- status changed to: "Open"
- submitter changed to: "RP."
- subsystem changed to: "pki"
- title changed to:
::pki::verify always returns false when "algo" argument is provided
- type changed to: "Bug"