lib/rsa.js - Issue 9001046: Fixed wrongly rejected RSA signatures

Unified Diff: lib/rsa.js

Issue 9001046: Fixed wrongly rejected RSA signatures (Closed)

Patch Set: Created Dec. 11, 2012, 4:36 p.m.

Use n/p to move between diff chunks; N/P to move between comments.

Jump to:

View side-by-side diff with in-line comments

Index: lib/rsa.js

===================================================================

--- a/lib/rsa.js

+++ b/lib/rsa.js

@@ -9,183 +9,185 @@

* Adblock Plus is distributed in the hope that it will be useful,

* but WITHOUT ANY WARRANTY; without even the implied warranty of

* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

* GNU General Public License for more details.

* You should have received a copy of the GNU General Public License

* along with Adblock Plus. If not, see <http://www.gnu.org/licenses/>.

-/**

- * This is a specialized RSA library meant only to verify SHA1-based signatures.

- * It requires jsbn.js and sha1.js to work.

- */

-(function(globalObj)

- // Define ASN.1 templates for the data structures used

- function seq()

- {

- return {type: 0x30, children: Array.prototype.slice.call(arguments)};

- }

- function obj(id)

- {

- return {type: 0x06, content: id};

- }

- function bitStr(contents)

- {

- return {type: 0x03, encapsulates: contents};

- }

- function intResult(id)

- {

- return {type: 0x02, out: id};

- }

- function octetResult(id)

- {

- return {type: 0x04, out: id};

- }

- // See http://www.cryptopp.com/wiki/Keys_and_Formats#RSA_PublicKey

- // 2A 86 48 86 F7 0D 01 01 01 means 1.2.840.113549.1.1.1

- var publicKeyTemplate = seq(seq(obj("\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01"), {}), bitStr(seq(intResult("n"), intResult("e"))));

- // See http://tools.ietf.org/html/rfc3447#section-9.2 step 2

- // 2B 0E 03 02 1A means 1.3.14.3.2.26

- var signatureTemplate = seq(seq(obj("\x2B\x0E\x03\x02\x1A"), {}), octetResult("sha1"));

- /**

- * Reads ASN.1 data matching the template passed in. This will throw an

- * exception if the data format doesn't match the template. On success an

- * object containing result properties is returned.

- *

- * See http://luca.ntop.org/Teaching/Appunti/asn1.html for info on the format.

- */

- function readASN1(data, templ)

- {

- var pos = 0;

- function next()

- {

- return data.charCodeAt(pos++);

- }

- function readLength()

- {

- var len = next();

- if (len & 0x80)

- {

- var cnt = len & 0x7F;

- if (cnt > 2 || cnt == 0)

- throw "Unsupported length";

- len = 0;

- for (var i = 0; i < cnt; i++)

- len += next() << (cnt - 1 - i) * 8;

- return len;

- }

- else

- return len;

- }

- function readNode(curTempl)

- {

- var type = next();

- var len = readLength();

- if ("type" in curTempl && curTempl.type != type)

- throw "Unexpected type";

- if ("content" in curTempl && curTempl.content != data.substr(pos, len))

- throw "Unexpected content";

- if ("out" in curTempl)

- out[curTempl.out] = new BigInteger(data.substr(pos, len), 256);

- if ("children" in curTempl)

- {

- var i, end;

- for (i = 0, end = pos + len; pos < end; i++)

- {

- if (i >= curTempl.children.length)

- throw "Too many children";

- readNode(curTempl.children[i]);

- }

- if (i < curTempl.children.length)

- throw "Too few children";

- if (pos > end)

- throw "Children too large";

- }

- else if ("encapsulates" in curTempl)

- {

- if (next() != 0)

- throw "Encapsulation expected";

- readNode(curTempl.encapsulates);

- }

- else

- pos += len;

- }

- var out = {};

- readNode(templ);

- if (pos != data.length)

- throw "Too much data";

- return out;

- }

- /**

- * Reads a BER-encoded RSA public key. On success returns an object with the

- * properties n and e (the components of the key), otherwise null.

- */

- function readPublicKey(key)

- {

- try

- {

- return readASN1(atob(key), publicKeyTemplate);

- }

- catch (e)

- {

- console.log("Invalid RSA public key: " + e);

- return null;

- }

- /**

- * Checks whether the signature is valid for the given public key and data.

- */

- function verifySignature(key, signature, data)

- {

- var keyData = readPublicKey(key);

- if (!keyData)

- return false;

- // We need the exponent as regular number

- keyData.e = parseInt(keyData.e.toString(16), 16);

- // Decrypt signature data using RSA algorithm

- var sigInt = new BigInteger(atob(signature), 256);

- var digest = sigInt.modPowInt(keyData.e, keyData.n).toString(256);

- try

- {

- var pos = 0;

- function next()

- {

- return digest.charCodeAt(pos++);

- }

- // Skip padding, see http://tools.ietf.org/html/rfc3447#section-9.2 step 5

- if (next() != 1)

- throw "Wrong padding in signature digest";

- while (next() == 255) {}

- if (digest.charCodeAt(pos - 1) != 0)

- throw "Wrong padding in signature digest";

- // Rest is an ASN.1 structure, get the SHA1 hash from it

- var sha1 = readASN1(digest.substr(pos), signatureTemplate).sha1;

- return (sha1.toString(16) == SHA1(data));

- }

- catch (e)

- {

- console.log("Invalid encrypted signature: " + e);

- return false;

- }

- // Export verifySignature function, everything else is private.

- globalObj.verifySignature = verifySignature;

-})(this);

+/**

+ * This is a specialized RSA library meant only to verify SHA1-based signatures.

+ * It requires jsbn.js and sha1.js to work.

+ */

+(function(globalObj)

+ // Define ASN.1 templates for the data structures used

+ function seq()

+ {

+ return {type: 0x30, children: Array.prototype.slice.call(arguments)};

+ }

+ function obj(id)

+ {

+ return {type: 0x06, content: id};

+ }

+ function bitStr(contents)

+ {

+ return {type: 0x03, encapsulates: contents};

+ }

+ function intResult(id)

+ {

+ return {type: 0x02, out: id};

+ }

+ function octetResult(id)

+ {

+ return {type: 0x04, out: id};

+ }

+ // See http://www.cryptopp.com/wiki/Keys_and_Formats#RSA_PublicKey

+ // 2A 86 48 86 F7 0D 01 01 01 means 1.2.840.113549.1.1.1

+ var publicKeyTemplate = seq(seq(obj("\x2A\x86\x48\x86\xF7\x0D\x01\x01\x01"), {}), bitStr(seq(intResult("n"), intResult("e"))));

+ // See http://tools.ietf.org/html/rfc3447#section-9.2 step 2

+ // 2B 0E 03 02 1A means 1.3.14.3.2.26

+ var signatureTemplate = seq(seq(obj("\x2B\x0E\x03\x02\x1A"), {}), octetResult("sha1"));

+ /**

+ * Reads ASN.1 data matching the template passed in. This will throw an

+ * exception if the data format doesn't match the template. On success an

+ * object containing result properties is returned.

+ *

+ * See http://luca.ntop.org/Teaching/Appunti/asn1.html for info on the format.

+ */

+ function readASN1(data, templ)

+ {

+ var pos = 0;

+ function next()

+ {

+ return data.charCodeAt(pos++);

+ }

+ function readLength()

+ {

+ var len = next();

+ if (len & 0x80)

+ {

+ var cnt = len & 0x7F;

+ if (cnt > 2 || cnt == 0)

+ throw "Unsupported length";

+ len = 0;

+ for (var i = 0; i < cnt; i++)

+ len += next() << (cnt - 1 - i) * 8;

+ return len;

+ }

+ else

+ return len;

+ }

+ function readNode(curTempl)

+ {

+ var type = next();

+ var len = readLength();

+ if ("type" in curTempl && curTempl.type != type)

+ throw "Unexpected type";

+ if ("content" in curTempl && curTempl.content != data.substr(pos, len))

+ throw "Unexpected content";

+ if ("out" in curTempl)

+ out[curTempl.out] = new BigInteger(data.substr(pos, len), 256);

+ if ("children" in curTempl)

+ {

+ var i, end;

+ for (i = 0, end = pos + len; pos < end; i++)

+ {

+ if (i >= curTempl.children.length)

+ throw "Too many children";

+ readNode(curTempl.children[i]);

+ }

+ if (i < curTempl.children.length)

+ throw "Too few children";

+ if (pos > end)

+ throw "Children too large";

+ }

+ else if ("encapsulates" in curTempl)

+ {

+ if (next() != 0)

+ throw "Encapsulation expected";

+ readNode(curTempl.encapsulates);

+ }

+ else

+ pos += len;

+ }

+ var out = {};

+ readNode(templ);

+ if (pos != data.length)

+ throw "Too much data";

+ return out;

+ }

+ /**

+ * Reads a BER-encoded RSA public key. On success returns an object with the

+ * properties n and e (the components of the key), otherwise null.

+ */

+ function readPublicKey(key)

+ {

+ try

+ {

+ return readASN1(atob(key), publicKeyTemplate);

+ }

+ catch (e)

+ {

+ console.log("Invalid RSA public key: " + e);

+ return null;

+ }

+ /**

+ * Checks whether the signature is valid for the given public key and data.

+ */

+ function verifySignature(key, signature, data)

+ {

+ var keyData = readPublicKey(key);

+ if (!keyData)

+ return false;

+ // We need the exponent as regular number

+ keyData.e = parseInt(keyData.e.toString(16), 16);

+ // Decrypt signature data using RSA algorithm

+ var sigInt = new BigInteger(atob(signature), 256);

+ var digest = sigInt.modPowInt(keyData.e, keyData.n).toString(256);

+ try

+ {

+ var pos = 0;

+ function next()

+ {

+ return digest.charCodeAt(pos++);

+ }

+ // Skip padding, see http://tools.ietf.org/html/rfc3447#section-9.2 step 5

+ if (next() != 1)

+ throw "Wrong padding in signature digest";

+ while (next() == 255) {}

+ if (digest.charCodeAt(pos - 1) != 0)

+ throw "Wrong padding in signature digest";

+ // Rest is an ASN.1 structure, get the SHA1 hash from it

+ var sha1 = readASN1(digest.substr(pos), signatureTemplate).sha1.toString(16);

+ while (sha1.length < 40)

+ sha1 = "0" + sha1; // Zero-pad to the right length

+ return (sha1 == SHA1(data));

+ }

+ catch (e)

+ {

+ console.log("Invalid encrypted signature: " + e);

+ return false;

+ }

+ // Export verifySignature function, everything else is private.

+ globalObj.verifySignature = verifySignature;

+})(this);

« no previous file with comments | « no previous file | qunit/tests/signatures.js » ('j') | no next file with comments »