Bonjour,
Le 02/04/2012 13:21, Tamir Khason via RT a écrit :
> There is a bug in ASN.1 DER serializer used to generate RSA private
> keys. It trims trailing zeros despite the DER specification. Please
> see the full info and reproduction steps in my blog
> http://khason.net/dev/openssl-bug-or-why-some-private-keys-cannot-be-used-for-net/#comments
>
You're wrong. You're mixing things, length encoding and value encoding
(as in TLV).
In DER, there's no "indefinite length" objects, because the purpose of
DER is to have the only one non ambiguous representation of an object.
Since an "indefinite length" (i.e. not known in advance) object can also
be represented by its "definite length" counterpart by rewriting it once
the object length is known, then an "indefinite length" can't be the
only one representation of this object.
Next, when writing a DER object, its serialization needs to be unique. A
set of rules are applied to enforce this. For integers, these rules tell
us that the lowest number of bytes need to be used, also ensuring that
negative numbers are expressed in 2s complement form (highest bit set to
1). Therefore, while you can express the number 0x32 as the following
serialization forms all representing the same number:
32
0032
000032
only the first representation is a DER one. The others encode the same
value, but with useless leading bytes.
Negative numbers cannot have a heading 00 octet, because the highest
order bit would then be equal to 0, and the number considered positive.
Therefore, the number 0x92 can be serialized as:
92
0092
000092
only the second form is a DER one. The first has its highest order bit
set to 1, the number considered negative, its value is then -0x6E. The
third form has an unnecessary leading 00 octet.
Of course, adding trailing 00 octets are forbidden, this would
completely change the encoded number. Like writing "70" is not the same
as writing "7".
In your "bad" example key, exponent2's length is smaller than
exponent1's and coefficient's ones. They're not guaranteed to be of the
same length. Exponent{1,2} and coefficient are results of calculations
("d mod (p-1)", "d mod (q-1)", "q^-1 mod p" respectively), and their
magnitude can vary.
Any "a mod b" number cannot be the same size of "b" (consider for
example "2^32+1 mod 2^32", it's not a 32 bits integer).
If your "bad" key cannot be used in .NET, there's another reason.
--
Erwann ABALEA
-----
podoclaste: casse-pieds
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [email protected]
