On Wed, Feb 12, 2020 at 11:10 AM Peter Gutmann <pgut...@cs.auckland.ac.nz> wrote:
> M K Saravanan <mksa...@gmail.com> writes: > > >Is this allowed? i.e. stripping the leading zero of the RSA signature and > >marking the length as 255? It is not clear to me from the RFC5246 > whether > >it is allowed or not. > > It's not allowed according to the spec but a number of implementations do > it > because their underlying bignum libraries perform leading-zero truncation, > so > you're better off allowing it to avoid breakage. > For web use cases, this does not appear to be necessary. BoringSSL and Chrome do not accept such signatures and have not for around five years now. (Possibly longer. I do not know off-hand what Chrome's behavior was when it used NSS.) I don't think I've ever seen a report of problems with a website, and the specification quite clearly says to reject those signatures. The robustness principle sounds plausible at face value, but I think we now have the experience to know otherwise. https://tools.ietf.org/html/draft-iab-protocol-maintenance-04 Note that bignum libraries that perform leading-zero truncation are unlikely to be suitable for cryptography anyway. Signatures are public values, but if you're implementing RSA decryption and care about side channel attacks, fixed-width in-memory representations and serialization functions are mandatory. http://archiv.infsec.ethz.ch/education/fs08/secsem/Manger01.pdf
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
