I'm looking at an attestation certificate from a Yubikey Plus. The signature part (as shown by openssl asn1parse -dump) starts like this:
Code:
268:d=1 hl=2 l= 11 cons: SEQUENCE
270:d=2 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption
281:d=1 hl=4 l= 257 prim: BIT STRING
0000 - 03 76 0e 36 95 65 ef 88-e9 04 28 04 d8 8f fa 5f .v.6.e....(...._
0010 - bd 5b 99 93 a3 12 46 8f-b1 74 96 12 96 a5 39 cc .[....F..t....9.
...
In an ASN.1 BIT STRING, the first byte is the number of unused/padding bits at the end of the string.
According to
RFC3477 s8.2.1: "Output: an octet string of length k, where k is the length in octets of the RSA modulus n."
Therefore, it is impossible to have a valid DER-encoded RSA PKCS#1 signature that has unused bits.
Is this certificate completely broken? Can you advise an approach for parsing it?
(for more info and the certificate in question, please see
https://github.com/briansmith/webpki/pull/34).
Login
FAQ
Search
