Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

tough-kms: some repos cannot be loaded after signing with kms #262

Closed
webern opened this issue Nov 9, 2020 · 1 comment
Closed

tough-kms: some repos cannot be loaded after signing with kms #262

webern opened this issue Nov 9, 2020 · 1 comment
Assignees
@webern
Labels
bug Something isn't working

Comments

@webern
Copy link
Contributor

webern commented Nov 9, 2020

Occasionally, the KMS sign function produces a signature with a length shorter than the RSA key modulus used in signing. For example with an RSA_3072 key, most KMS signatures will be 384 bytes long. But approximately 1 out of 200 of signatures will be shorter than that.

Ring has a check to ensure that the length of the signature being verified exactly matches the length of the key modulus. This means that 1/200 KMS signings produces a signature that ring verify will reject.

Both KMS and openssl pkeyutl assert that these 'short' signatures are valid. To ensure that all of ring, KMS and openssl agree, we should prepend signatures returned from KMS that are shorter than the modulus length with zeros until the modulus length is achieved.
@webern webern added the bug Something isn't working label Nov 9, 2020
@webern webern self-assigned this Nov 9, 2020
This was referenced Nov 9, 2020
Merged
Merged
Merged
@webern
Copy link
Contributor Author

webern commented Nov 14, 2020

This has been fixed in #263

@webern webern closed this as completed Nov 14, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@webern webern

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@webern