Skip to content

Allow RSA signing with raw data (without a DigestInfo) #13740

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Allow RSA signing with raw data (without a DigestInfo) #13740

wants to merge 3 commits into from
+139 −7

Conversation

@jahkosha
Copy link
Contributor

@jahkosha jahkosha commented Oct 24, 2025

This fixes #3713 and #10226.

Instead of using the script written by @misterzed88 in #10226 to generate modified tests vectors, I did directly implement the same logic in the test infrastructure, so we can reuse directly the NIST (or others...) vectors stored in the tests.

@alex
Copy link
Member

alex commented Oct 24, 2025

I haven't reviewed in depth -- but I don't think we should use None to signify this, I think we should have a dedicated sentinel, Raw<Something> perhaps. None looks like a reasonable default, but this is the opposite of that :-)

@reaperhulk wdyt?

@jahkosha
Copy link
Contributor Author

jahkosha commented Oct 25, 2025

@alex yeah that is a fair concern 👍 in some early attempt I did add a NoHash hashes instead of using None, but I was afraid that would cause even more confusion so eventually I went with None.

I'll be happy to apply what you folks think is the best, if possible, please provide pointers where in the code-base a similar pattern is used so I can take inspiration from it.

@misterzed88
Copy link
Contributor

misterzed88 commented Oct 25, 2025
edited
Loading

I haven't reviewed in depth -- but I don't think we should use None to signify this, I think we should have a dedicated sentinel, Raw<Something> perhaps. None looks like a reasonable default, but this is the opposite of that :-)

@reaperhulk wdyt?

I would like to highlight that the API already uses None for this purpose (for the RSA signature recover functionality, ref. issue #5495). So whatever you decide, you may want to use the same method in all the API functions to make them symmetric.

@reaperhulk
Copy link
Member

reaperhulk commented Nov 1, 2025

Hmm, the inconsistency is a bit unfortunate. I'd be inclined to do a RawNoDigestInfo (or perhaps just NoDigestInfo?) sentinel here and then also add that as an option on the signature recovery method while retaining None for backwards compatibility. So this signature would look like sign(value, PKCS1v15(), RawNoDigestInfo()) or sign(value, PKCS1v15(), NoDigestInfo()).

@jahkosha
Copy link
Contributor Author

jahkosha commented Nov 4, 2025

@alex @reaperhulk I did add a sentinel NoDigestInfo and support it also on recover_data_from_signature

Please have an other look and let me know what you think

reaperhulk
reaperhulk reviewed Nov 4, 2025
View reviewed changes
reaperhulk
reaperhulk reviewed Nov 5, 2025
View reviewed changes
Copy link
Member

@reaperhulk reaperhulk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We also need docs for this new value in RSAPrivateKey.sign

src/cryptography/hazmat/primitives/asymmetric/utils.py
encode_dss_signature = asn1.encode_dss_signature


class NoDigestInfo:
Copy link
Member

@reaperhulk reaperhulk Nov 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We need to document this in the same section as Prehashed

tests/hazmat/primitives/test_rsa.py
signature = private_key.sign(
binascii.unhexlify(
compute_rsa_hash_digest(
backend, hashes.SHA1(), example["message"]
Copy link
Member

@reaperhulk reaperhulk Nov 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd prefer we used SHA256 for the tests here because otherwise we'll increasingly have coverage challenges as more and more things disable SHA1.

tests/hazmat/primitives/test_rsa.py

# Test recovery of all data (full DigestInfo) with hash alg. as
# None
rec_sig_data = public_key.recover_data_from_signature(
Copy link
Member

@reaperhulk reaperhulk Nov 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We need to document that recover_data_from_signature now takes this new argument.

tests/hazmat/primitives/test_rsa.py
backend.signature_hash_supported(hashes.SHA1())
and backend.rsa_padding_supported(padding.PKCS1v15())
),
skip_message="Does not support SHA1 and PKCS1v1.5.",
Copy link
Member

@reaperhulk reaperhulk Nov 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same SHA1 concern

Tarnum-tst
Tarnum-tst reviewed Nov 6, 2025
View reviewed changes
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@alex alex alex left review comments

@reaperhulk reaperhulk reaperhulk left review comments

+1 more reviewer

@Tarnum-tst Tarnum-tst Tarnum-tst left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Allow signing to exclude hash constant

5 participants

@jahkosha @alex @misterzed88 @reaperhulk @Tarnum-tst