const unsigned char *hash_oid, size_t hash_len,
const br_rsa_public_key *pk, unsigned char *hash_out)
{
- static const unsigned char pad1[] = {
- 0x00, 0x01, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF
- };
-
unsigned char sig[BR_MAX_RSA_SIZE >> 3];
- unsigned char pad2[43];
- size_t u, x2, x3, pad_len, zlen;
- if (xlen > (sizeof sig) || xlen < 11) {
+ if (xlen > (sizeof sig)) {
return 0;
}
memcpy(sig, x, xlen);
if (!br_rsa_i32_public(sig, xlen, pk)) {
return 0;
}
-
- /*
- * Expected format:
- * 00 01 FF ... FF 00 30 x1 30 x2 06 x3 OID [ 05 00 ] 04 x4 HASH
- *
- * with the following rules:
- *
- * -- Total length is that of the modulus and the signature
- * (this was already verified by br_rsa_i32_public()).
- *
- * -- There are at least eight bytes of value 0xFF.
- *
- * -- x4 is equal to the hash length (hash_len).
- *
- * -- x3 is equal to the encoded OID value length (so x3 is the
- * first byte of hash_oid[]).
- *
- * -- If the "05 00" is present, then x2 == x3 + 4; otherwise,
- * x2 == x3 + 2.
- *
- * -- x1 == x2 + x4 + 4.
- *
- * So the total length after the last "FF" is either x3 + x4 + 11
- * (with the "05 00") or x3 + x4 + 9 (without the "05 00").
- */
-
- /*
- * Check the "00 01 FF .. FF 00" with at least eight 0xFF bytes.
- * The comparaison is valid because we made sure that the signature
- * is at least 11 bytes long.
- */
- if (memcmp(sig, pad1, sizeof pad1) != 0) {
- return 0;
- }
- for (u = sizeof pad1; u < xlen; u ++) {
- if (sig[u] != 0xFF) {
- break;
- }
- }
-
- /*
- * Remaining length is xlen - u bytes (including the 00 just
- * after the last FF). This must be equal to one of the two
- * possible values (depending on whether the "05 00" sequence is
- * present or not).
- */
- if (hash_oid == NULL) {
- if (xlen - u != hash_len + 1 || sig[u] != 0x00) {
- return 0;
- }
- } else {
- x3 = hash_oid[0];
- pad_len = x3 + 9;
- memset(pad2, 0, pad_len);
- zlen = xlen - u - hash_len;
- if (zlen == pad_len) {
- x2 = x3 + 2;
- } else if (zlen == pad_len + 2) {
- x2 = x3 + 4;
- pad_len = zlen;
- pad2[pad_len - 4] = 0x05;
- } else {
- return 0;
- }
- pad2[1] = 0x30;
- pad2[2] = x2 + hash_len + 4;
- pad2[3] = 0x30;
- pad2[4] = x2;
- pad2[5] = 0x06;
- memcpy(pad2 + 6, hash_oid, x3 + 1);
- pad2[pad_len - 2] = 0x04;
- pad2[pad_len - 1] = hash_len;
- if (memcmp(pad2, sig + u, pad_len) != 0) {
- return 0;
- }
- }
- memcpy(hash_out, sig + xlen - hash_len, hash_len);
- return 1;
+ return br_rsa_pkcs1_sig_unpad(sig, xlen, hash_oid, hash_len, hash_out);
}