Skip to content

Fix PKCS8 decoding for some RSA private keys #937

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Mar 23, 2017
Merged

Fix PKCS8 decoding for some RSA private keys #937

merged 2 commits into from
Mar 23, 2017

Conversation

evildour
Copy link
Contributor

According to this answer on the cryptography StackExchange site, there is a 1 in 400 edge case where the private key's D value will only require 255 bytes to be encoded, so we were trimming it to 255 bytes, but when .NET imports the RSA key parameters, it requires them to be aligned on 8 byte boundaries apparently.

cc @iantalarico

@googlebot googlebot added the cla: yes This human has signed the Contributor License Agreement. label Mar 21, 2017
@evildour
Copy link
Contributor Author

(ready to be reviewed)

@jskeet
Copy link
Collaborator

jskeet commented Mar 21, 2017

Assigned to Chris as I believe he wrote this code :)

@evildour
Copy link
Contributor Author

Hold off on reviewing. I just realized I introduced a bug in the array copying logic.

@evildour
Copy link
Contributor Author

Ok, fixed now. PTAL.

@jskeet
Copy link
Collaborator

jskeet commented Mar 22, 2017

Just to check, is this still needed bearing in mind your other changes around URL signing?

@chrisdunelm
Copy link
Contributor

I'm fairly sure this PR and URL signing are unrelated. I expect to get time to review this PR today.

@evildour
Copy link
Contributor Author

Yes, this is unrelated and just an odd edge case Ian happened to hit with the first credentials for the CI service account.

chrisdunelm added a commit to chrisdunelm/google-api-dotnet-client that referenced this pull request Mar 22, 2017
@chrisdunelm
PKCS decoder fuzz test
db601e6 
This fails without PR googleapis#937, passes with it
@chrisdunelm chrisdunelm mentioned this pull request Mar 22, 2017
Merged
@chrisdunelm
Copy link
Contributor

I have created PR #938, which generates many RSA keys in PKCS8 format and verifies the Pkcs8 class now decodes them successfully. This fails (as expected) without the fix in this PS.

chrisdunelm
chrisdunelm approved these changes Mar 22, 2017
View reviewed changes
Copy link
Contributor

@chrisdunelm chrisdunelm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

chrisdunelm added a commit to chrisdunelm/google-api-dotnet-client that referenced this pull request Mar 22, 2017
@chrisdunelm
PKCS decoder fuzz test
fa5399f 
This fails without PR googleapis#937, passes with it
@chrisdunelm chrisdunelm merged commit f2a1795 into googleapis:master Mar 23, 2017
chrisdunelm added a commit to chrisdunelm/google-api-dotnet-client that referenced this pull request Mar 23, 2017
@chrisdunelm
PKCS decoder fuzz test
81360b5 
This fails without PR googleapis#937, passes with it
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@chrisdunelm chrisdunelm chrisdunelm approved these changes

Assignees

@chrisdunelm chrisdunelm

Labels
cla: yes This human has signed the Contributor License Agreement.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@evildour @jskeet @chrisdunelm @googlebot