-
Notifications
You must be signed in to change notification settings - Fork 11.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement RSA verification #4952
Open
Amxx
wants to merge
21
commits into
OpenZeppelin:master
Choose a base branch
from
Amxx:feature/RSA
base: master
Could not load branches
Branch not found: {{ refName }}
Could not load tags
Nothing to show
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
+4,100
−0
Open
Changes from 10 commits
Commits
Show all changes
21 commits
Select commit
Hold shift + click to select a range
b9f144c
Implement RSA verification
Amxx 41949e6
up
Amxx 0abe46b
simplify
Amxx 0a1691c
test directly from the SigVer15-186-3.rsp
Amxx 1189ae7
update
Amxx d98a3f9
fix lint
Amxx 2ef35d1
update todo
Amxx f110d43
up
Amxx 6dcc26d
simplify parser
Amxx 1b2ba49
add RSA to mocks/Stateless.sol
Amxx fe0927f
Merge branch 'master' into feature/RSA
Amxx 78301ea
Merge branch 'master' into feature/RSA
ernestognw 74d667c
Improve documentation
ernestognw b6334ea
Add changeset
ernestognw 5379609
Improve comments
ernestognw 667c8b2
Fix
ernestognw d3eb6a5
Fix test
ernestognw fbd2130
Nits
ernestognw cc37629
Improve tests
ernestognw 0127de3
Improve tests 2
ernestognw 445d6fa
Do fix tests
ernestognw File filter
Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,118 @@ | ||
// SPDX-License-Identifier: MIT | ||
pragma solidity ^0.8.20; | ||
|
||
import {Math} from "../math/Math.sol"; | ||
|
||
/** | ||
* TODO: | ||
* - Further optimize ? | ||
* - Write documentation | ||
* | ||
* Inspired by Adrià Massanet's work: https://github.com/adria0/SolRsaVerify | ||
*/ | ||
library RSA { | ||
/** | ||
* @dev Verifies a PKCSv1.5 SHA256 signature | ||
* @param data to verify | ||
* @param sig is the signature | ||
* @param exp is the exponent | ||
* @param mod is the modulus | ||
*/ | ||
function pkcs1Sha256( | ||
bytes memory data, | ||
bytes memory sig, | ||
bytes memory exp, | ||
bytes memory mod | ||
) internal view returns (bool) { | ||
return pkcs1Sha256(sha256(data), sig, exp, mod); | ||
} | ||
|
||
/** | ||
* @dev Verifies a PKCSv1.5 SHA256 signature | ||
* @param digest is the sha256 of the data | ||
* @param sig is the signature | ||
* @param exp is the exponent | ||
* @param mod is the modulus | ||
*/ | ||
function pkcs1Sha256( | ||
bytes32 digest, | ||
bytes memory sig, | ||
bytes memory exp, | ||
bytes memory mod | ||
) internal view returns (bool) { | ||
unchecked { | ||
// cache and check length | ||
uint256 length = mod.length; | ||
if (length < 0x40 || length != sig.length) { | ||
ernestognw marked this conversation as resolved.
Show resolved
Hide resolved
|
||
return false; | ||
} | ||
|
||
(bool success, bytes memory buffer) = Math.tryModExp(sig, exp, mod); | ||
if (!success) { | ||
return false; | ||
} | ||
|
||
// Check that buffer is well encoded: | ||
// buffer ::= 0x00 | 0x01 | PS | 0x00 | DigestInfo | ||
// | ||
// With | ||
// - PS is padding filled with 0xFF | ||
// - DigestInfo ::= SEQUENCE { | ||
// digestAlgorithm AlgorithmIdentifier, | ||
// [optional algorithm parameters] | ||
// digest OCTET STRING | ||
// } | ||
|
||
// Get AlgorithmIdentifier from the DigestInfo, and set the config accordingly | ||
// - params: includes 00 + first part of DigestInfo | ||
// - mask: filter to check the params | ||
// - offset: length of the suffix (including digest) | ||
bytes32 params; | ||
bytes32 mask; | ||
uint256 offset; | ||
if (_unsafeReadBytes1(buffer, length - 50) == 0x31) { | ||
// case: sha256Explicit | ||
offset = 0x34; | ||
params = 0x003031300d060960864801650304020105000420000000000000000000000000; | ||
mask = 0xffffffffffffffffffffffffffffffffffffffff000000000000000000000000; | ||
} else if (_unsafeReadBytes1(buffer, length - 48) == 0x2F) { | ||
// case: sha256Implicit | ||
offset = 0x32; | ||
params = 0x00302f300b060960864801650304020104200000000000000000000000000000; | ||
mask = 0xffffffffffffffffffffffffffffffffffff0000000000000000000000000000; | ||
} else { | ||
// unknown | ||
return false; | ||
} | ||
ernestognw marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
||
// Length is at least 0x40 and offset is at most 0x34, so this is safe. There is always some padding. | ||
uint256 paddingEnd = length - offset; | ||
|
||
// The padding has variable (arbitrary) length, so we check it byte per byte in a loop. | ||
for (uint256 i = 2; i < paddingEnd; ++i) { | ||
if (_unsafeReadBytes1(buffer, i) != 0xFF) { | ||
return false; | ||
} | ||
} | ||
// All the other parameters are small enough to fit in a bytes32, so we can check them directly. | ||
return | ||
bytes2(0x0001) == _unsafeReadBytes2(buffer, 0x00) && | ||
params == _unsafeReadBytes32(buffer, paddingEnd) & mask && | ||
digest == _unsafeReadBytes32(buffer, length - 0x20); | ||
} | ||
} | ||
|
||
function _unsafeReadBytes32(bytes memory array, uint256 offset) private pure returns (bytes32 result) { | ||
assembly { | ||
result := mload(add(add(array, 0x20), offset)) | ||
} | ||
} | ||
|
||
function _unsafeReadBytes1(bytes memory array, uint256 offset) private pure returns (bytes1) { | ||
return bytes1(_unsafeReadBytes32(array, offset)); | ||
} | ||
|
||
function _unsafeReadBytes2(bytes memory array, uint256 offset) private pure returns (bytes2) { | ||
return bytes2(_unsafeReadBytes32(array, offset)); | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
const path = require('path'); | ||
const fs = require('fs'); | ||
|
||
module.exports = function* parse(file) { | ||
const cache = {}; | ||
const data = fs.readFileSync(path.resolve(__dirname, file), 'utf8'); | ||
for (const line of data.split('\r\n')) { | ||
const groups = line.match(/^(?<key>\w+) = (?<value>\w+)(?<extra>.*)$/)?.groups; | ||
if (groups) { | ||
const { key, value, extra } = groups; | ||
cache[key] = value; | ||
if (groups.key === 'Result') { | ||
yield Object.assign({ extra: extra.trim() }, cache); | ||
} | ||
} | ||
} | ||
}; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,69 @@ | ||
const { ethers } = require('hardhat'); | ||
const { expect } = require('chai'); | ||
const { loadFixture } = require('@nomicfoundation/hardhat-network-helpers'); | ||
|
||
const parse = require('./RSA.helper'); | ||
|
||
async function fixture() { | ||
return { mock: await ethers.deployContract('$RSA') }; | ||
} | ||
|
||
describe('RSA', function () { | ||
beforeEach(async function () { | ||
Object.assign(this, await loadFixture(fixture)); | ||
}); | ||
|
||
// Load test cases from file SigVer15_186-3.rsp from: | ||
// https://csrc.nist.gov/CSRC/media/Projects/Cryptographic-Algorithm-Validation-Program/documents/dss/186-2rsatestvectors.zip | ||
describe('SigVer15_186-3.rsp tests', function () { | ||
for (const test of parse('SigVer15_186-3.rsp')) { | ||
const { length } = Buffer.from(test.S, 'hex'); | ||
|
||
/// For now, RSA only supports digest that are 32bytes long. If we ever extend that, we can use these hashing functions for @noble: | ||
// const { sha1 } = require('@noble/hashes/sha1'); | ||
// const { sha224, sha256 } = require('@noble/hashes/sha256'); | ||
// const { sha384, sha512 } = require('@noble/hashes/sha512'); | ||
|
||
if (test.SHAAlg === 'SHA256') { | ||
it(`signature length ${length} ${test.extra}`, async function () { | ||
const data = '0x' + test.Msg; | ||
const sig = '0x' + test.S; | ||
const exp = '0x' + test.e; | ||
const mod = '0x' + test.n; | ||
const result = test.Result === 'P'; | ||
|
||
expect(await this.mock.$pkcs1Sha256(ethers.Typed.bytes32(ethers.sha256(data)), sig, exp, mod)).to.equal( | ||
result, | ||
); | ||
expect(await this.mock.$pkcs1Sha256(ethers.Typed.bytes(data), sig, exp, mod)).to.equal(result); | ||
}); | ||
} | ||
} | ||
}); | ||
|
||
describe('others tests', function () { | ||
it(`openssl`, async function () { | ||
const data = ethers.toUtf8Bytes('hello world'); | ||
const sig = | ||
'0x079bed733b48d69bdb03076cb17d9809072a5a765460bc72072d687dba492afe951d75b814f561f253ee5cc0f3d703b6eab5b5df635b03a5437c0a5c179309812f5b5c97650361c645bc99f806054de21eb187bc0a704ed38d3d4c2871a117c19b6da7e9a3d808481c46b22652d15b899ad3792da5419e50ee38759560002388'; | ||
const exp = | ||
'0x0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010001'; | ||
const mod = | ||
'0xdf3edde009b96bc5b03b48bd73fe70a3ad20eaf624d0dc1ba121a45cc739893741b7cf82acf1c91573ec8266538997c6699760148de57e54983191eca0176f518e547b85fe0bb7d9e150df19eee734cf5338219c7f8f7b13b39f5384179f62c135e544cb70be7505751f34568e06981095aeec4f3a887639718a3e11d48c240d'; | ||
expect(await this.mock.$pkcs1Sha256(ethers.Typed.bytes(data), sig, exp, mod)).to.be.true; | ||
}); | ||
|
||
// According to RFC4055, pg.5 and RFC8017, pg. 64, for SHA-1, and the SHA-2 family, | ||
// the algorithm parameter has to be NULL and both explicit NULL parameter and implicit | ||
// NULL parameter (ie, absent NULL parameter) are considered to be legal and equivalent. | ||
it(`rfc8017 implicit null parameter`, async function () { | ||
const data = ethers.toUtf8Bytes('hello world!'); | ||
const sig = | ||
'0xa0073057133ff3758e7e111b4d7441f1d8cbe4b2dd5ee4316a14264290dee5ed7f175716639bd9bb43a14e4f9fcb9e84dedd35e2205caac04828b2c053f68176d971ea88534dd2eeec903043c3469fc69c206b2a8694fd262488441ed8852280c3d4994e9d42bd1d575c7024095f1a20665925c2175e089c0d731471f6cc145404edf5559fd2276e45e448086f71c78d0cc6628fad394a34e51e8c10bc39bfe09ed2f5f742cc68bee899d0a41e4c75b7b80afd1c321d89ccd9fe8197c44624d91cc935dfa48de3c201099b5b417be748aef29248527e8bbb173cab76b48478d4177b338fe1f1244e64d7d23f07add560d5ad50b68d6649a49d7bc3db686daaa7'; | ||
const exp = '0x03'; | ||
const mod = | ||
'0xe932ac92252f585b3a80a4dd76a897c8b7652952fe788f6ec8dd640587a1ee5647670a8ad4c2be0f9fa6e49c605adf77b5174230af7bd50e5d6d6d6d28ccf0a886a514cc72e51d209cc772a52ef419f6a953f3135929588ebe9b351fca61ced78f346fe00dbb6306e5c2a4c6dfc3779af85ab417371cf34d8387b9b30ae46d7a5ff5a655b8d8455f1b94ae736989d60a6f2fd5cadbffbd504c5a756a2e6bb5cecc13bca7503f6df8b52ace5c410997e98809db4dc30d943de4e812a47553dce54844a78e36401d13f77dc650619fed88d8b3926e3d8e319c80c744779ac5d6abe252896950917476ece5e8fc27d5f053d6018d91b502c4787558a002b9283da7'; | ||
expect(await this.mock.$pkcs1Sha256(ethers.Typed.bytes(data), sig, exp, mod)).to.be.true; | ||
}); | ||
}); | ||
}); |
Oops, something went wrong.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I guess we reject length less than
0x40
because it wouldn't be secure. I wonder if0x40
was arbitrarily chosen. If so, we need to evaluate it carefully, as far as I remember, RSA's security isp * q
so a 512 bits signature is crackable in reasonable time.Found this as a reference, but seems like 512 bits (0x40 bytes) signatures are pretty much broken.
https://github.com/tomrittervg/cloud-and-control/blob/master/gnfs-info/factoring-howto.txt
RFC 3447 is from 2003 and was superseded by RFC 8017, though, I couldn't find a recommendation for the mod length. Allegedly, 512 bits security was first broken in 1999, so my estimations say that we might increase this to
0x80
at least.Needs discussion