Skip to main content
gfxfloro
gfxfloro
Associate III
October 6, 2022
Question

Crypto library RSA Signature errors

  • October 6, 2022
  • 1 reply
  • 2028 views

Hi,

I am trying to use the STM32Cryptography library to verify the signature of a flash segment, using RSA Encryption and 3072 bit length keys.

The signature is generated by a python script and appended to the hex file. The signature has a length of 384 bytes, just like the modulus that is fed to the script and the STM application.

When calling the verify function (cmox_rsa_pkcs1v22_verify) the return value indicates the modulus is too short (retval = 0x50007). How can the library determine that the modulus is too short when the input variables show a length of 384 bytes for the signature and the modulus? I was under the impression that the signature was just an integer, is there some format that the signature has to adhere to?

In the following excerpt you can see the code, that I use to reproduce the error. The first verification against the computed value is successful as it should be. However the second verification against the python_signature returns 0x50007. Although the passed sizeof() of computed_signature and python_signature are identical. As are the sizes of the modulus.

hretval = cmox_hash_compute(CMOX_SHA256_ALGO,
 data, DATA_SIZE,
 Computed_Hash,
 CMOX_SHA256_SIZE,
 &computed_size);
 
cmox_rsa_construct(&Rsa_Ctx, CMOX_RSA_MATH_FUNCS, CMOX_MODEXP_PRIVATE, Working_Buffer, sizeof(Working_Buffer));
 
 /* Fill in RSA key structure using the regular private key representation */
 retval = cmox_rsa_setKey(&Rsa_Key,
 Modulus, sizeof(Modulus), 
 Private_Exponent, sizeof(Private_Exponent));
 
 /* Compute directly the signature passing all the needed parameters */
 retval = cmox_rsa_pkcs1v22_sign(&Rsa_Ctx,
 &Rsa_Key,
 Computed_Hash,
 CMOX_RSA_PKCS1V22_HASH_SHA256,
 Salt, sizeof(Salt),
 Computed_Signature, &computed_size);
 
cmox_rsa_construct(&Rsa_Ctx, CMOX_RSA_MATH_FUNCS, CMOX_MODEXP_PUBLIC, Working_Buffer, sizeof(Working_Buffer));
 
 /* Fill in RSA key structure using the public key representation */
 retval = cmox_rsa_setKey(&Rsa_Key,
 Modulus, sizeof(Modulus),
 Public_Exponent, sizeof(Public_Exponent));
 
 /* Compute directly the signature passing all the needed parameters */
 retval = cmox_rsa_pkcs1v22_verify(&Rsa_Ctx, 
 &Rsa_Key,
 Computed_Hash,
 CMOX_RSA_PKCS1V22_HASH_SHA256,
 sizeof(Salt), 
 Computed_Signature, sizeof(Computed_Signature),
 &fault_check);
 
 retval = cmox_rsa_pkcs1v22_verify(&Rsa_Ctx,
 &Rsa_Key, 
 Computed_Hash,
 CMOX_RSA_PKCS1V22_HASH_SHA256,
 sizeof(Salt), 
 python_signature, sizeof(python_signature), /* Signature to verify */
 &fault_check);

This topic has been closed for replies.

1 reply

Bubbles
Bubbles
ST Employee
December 21, 2022

Hi @gfxfloro​,

the length in bytes may be identical, but the length in bits may not be. The RSA requires the MSB of the integer to be higher than certain value. Because if there are leading zeroes, it's no longer 3072 bit key, but 3069 bit or whatever the leading zeroes may result it.

There are functions for key generation and it's not recommended to simply take a random number and use it directly. These functions will, among other things, check that the leading zeroes are not a problem for either the modulus or the exponent.

BR,

J

To give better visibility on the answered topics, please click on Accept as Solution on the reply which solved your issue or answered your question.
Terms & ConditionsAccessibility statement