Headline
CVE-2022-24773: Fix signature verification issues. · digitalbazaar/forge@3f0b49a
Forge (also called node-forge) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code does not properly check DigestInfo for a proper ASN.1 structure. This can lead to successful verification with signatures that contain invalid structures but a valid digest. The issue has been addressed in node-forge version 1.3.0. There are currently no known workarounds.
@@ -264,6 +264,40 @@ var publicKeyValidator = forge.pki.rsa.publicKeyValidator = { }] };
// validator for a DigestInfo structure var digestInfoValidator = { name: 'DigestInfo’, tagClass: asn1.Class.UNIVERSAL, type: asn1.Type.SEQUENCE, constructed: true, value: [{ name: 'DigestInfo.DigestAlgorithm’, tagClass: asn1.Class.UNIVERSAL, type: asn1.Type.SEQUENCE, constructed: true, value: [{ name: 'DigestInfo.DigestAlgorithm.algorithmIdentifier’, tagClass: asn1.Class.UNIVERSAL, type: asn1.Type.OID, constructed: false, capture: ‘algorithmIdentifier’ }, { // NULL paramters name: 'DigestInfo.DigestAlgorithm.parameters’, tagClass: asn1.Class.UNIVERSAL, type: asn1.Type.NULL, constructed: false }] }, { // digest name: 'DigestInfo.digest’, tagClass: asn1.Class.UNIVERSAL, type: asn1.Type.OCTETSTRING, constructed: false, capture: ‘digest’ }] };
/** * Wrap digest in DigestInfo object. * @@ -1092,25 +1126,65 @@ pki.setRsaPublicKey = pki.rsa.setPublicKey = function(n, e) { * a Forge PSS object for RSASSA-PSS, * ‘NONE’ or null for none, DigestInfo will not be expected, but * PKCS#1 v1.5 padding will still be used. * @param options optional verify options * _parseAllDigestBytes testing flag to control parsing of all * digest bytes. Unsupported and not for general usage. * (default: true) * * @return true if the signature was verified, false if not. */ key.verify = function(digest, signature, scheme) { key.verify = function(digest, signature, scheme, options) { if(typeof scheme === ‘string’) { scheme = scheme.toUpperCase(); } else if(scheme === undefined) { scheme = 'RSASSA-PKCS1-V1_5’; } if(options === undefined) { options = { _parseAllDigestBytes: true }; } if(!(‘_parseAllDigestBytes’ in options)) { options._parseAllDigestBytes = true; }
if(scheme === ‘RSASSA-PKCS1-V1_5’) { scheme = { verify: function(digest, d) { // remove padding d = _decodePkcs1_v1_5(d, key, true); // d is ASN.1 BER-encoded DigestInfo var obj = asn1.fromDer(d); var obj = asn1.fromDer(d, { parseAllBytes: options._parseAllDigestBytes });
// validate DigestInfo var capture = {}; var errors = []; if(!asn1.validate(obj, digestInfoValidator, capture, errors)) { var error = new Error( 'ASN.1 object does not contain a valid RSASSA-PKCS1-v1_5 ' + ‘DigestInfo value.’); error.errors = errors; throw error; } // check hash algorithm identifier // FIXME: add support to vaidator for strict value choices var oid = asn1.derToOid(capture.algorithmIdentifier); if(!(oid === forge.oids.md2 || oid === forge.oids.md5 || oid === forge.oids.sha1 || oid === forge.oids.sha256 || oid === forge.oids.sha384 || oid === forge.oids.sha512)) { var error = new Error( ‘Unknown RSASSA-PKCS1-v1_5 DigestAlgorithm identifier.’); error.oid = oid; throw error; }
// compare the given digest to the decrypted one return digest === obj.value[1].value; return digest === capture.digest; } }; } else if(scheme === ‘NONE’ || scheme === ‘NULL’ || scheme === null) {