VYPR
Get started
← All advisories
Moderate severityNVD Advisory· Published Mar 18, 2022· Updated Apr 23, 2025

Improper Verification of Cryptographic Signature in `node-forge`

CVE-2022-24773

Description

Forge (also called node-forge) is a native implementation of Transport Layer Security in JavaScript. Prior to version 1.3.0, RSA PKCS#1 v1.5 signature verification code does not properly check DigestInfo for a proper ASN.1 structure. This can lead to successful verification with signatures that contain invalid structures but a valid digest. The issue has been addressed in node-forge version 1.3.0. There are currently no known workarounds.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
node-forgenpm
< 1.3.01.3.0

Affected products

1

Patches

2
bb822c02df0b

Add advisory links.

https://github.com/digitalbazaar/forgeDavid I. LehnMar 17, 2022via ghsa
commit
1 file changed · +6 0
  • CHANGELOG.md+6 0 modified
    @@ -15,6 +15,8 @@ Forge ChangeLog
     ["Bleichenbacher's RSA signature forgery based on implementation
     error"](https://mailarchive.ietf.org/arch/msg/openpgp/5rnE9ZRN1AokBVj3VqblGlP63QE/)
     by Hal Finney.
+  - CVE ID: [CVE-2022-24771](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24771)
+  - GHSA ID: [GHSA-cfm4-qjh2-4765](https://github.com/digitalbazaar/forge/security/advisories/GHSA-cfm4-qjh2-4765)
 - **HIGH**: Failing to check tailing garbage bytes can lead to signature
   forgery.
   - The code does not check for tailing garbage bytes after decoding a
@@ -24,10 +26,14 @@ Forge ChangeLog
     signature forgery based on implementation
     error"](https://mailarchive.ietf.org/arch/msg/openpgp/5rnE9ZRN1AokBVj3VqblGlP63QE/)
     by Hal Finney.
+  - CVE ID: [CVE-2022-24772](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24772)
+  - GHSA ID: [GHSA-x4jg-mjrx-434g](https://github.com/digitalbazaar/forge/security/advisories/GHSA-x4jg-mjrx-434g)
 - **MEDIUM**: Leniency in checking type octet.
   - `DigestInfo` is not properly checked for proper ASN.1 structure. This can
     lead to successful verification with signatures that contain invalid
     structures but a valid digest.
+  - CVE ID: [CVE-2022-24773](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24773)
+  - GHSA ID: [GHSA-2r2c-g63r-vccr](https://github.com/digitalbazaar/forge/security/advisories/GHSA-2r2c-g63r-vccr)
 
 ### Fixed
 - [asn1] Add fallback to pretty print invalid UTF8 data.
3f0b49a0573e

Fix signature verification issues.

https://github.com/digitalbazaar/forgeDavid I. LehnMar 8, 2022via ghsa
commit
5 files changed · +284 4
  • CHANGELOG.md+38 0 modified
    @@ -3,8 +3,46 @@ Forge ChangeLog
 
 ## 1.3.0 - 2022-XXX
 
+### Security
+- **SECURITY**: Three RSA PKCS#1 v1.5 signature verification issues were
+  reported by Moosa Yahyazadeh (moosa-yahyazadeh@uiowa.edu).
+  - Leniency in checking `digestAlgorithm` structure can lead to signature
+    forgery.
+    - The code is lenient in checking the digest algorithm structure. This can
+      allow a crafted structure that steals padding bytes and uses unchecked
+      portion of the PKCS#1 encoded message to forge a signature when a low
+      public exponent is being used. For more information, please see
+      ["Bleichenbacher's RSA signature forgery based on implementation
+      error"](https://mailarchive.ietf.org/arch/msg/openpgp/5rnE9ZRN1AokBVj3VqblGlP63QE/)
+      by Hal Finney.
+  - Failing to check tailing garbage bytes can lead to signature forgery.
+    - The code does not check for tailing garbage bytes after decoding a
+      `DigestInfo` ASN.1 structure. This can allow padding bytes to be removed
+      and garbage data added to forge a signature when a low public exponent is
+      being used.  For more information, please see ["Bleichenbacher's RSA
+      signature forgery based on implementation
+      error"](https://mailarchive.ietf.org/arch/msg/openpgp/5rnE9ZRN1AokBVj3VqblGlP63QE/)
+      by Hal Finney.
+  - Leniency in checking type octet.
+    - `DigestInfo` is not properly checked for proper ASN.1 structure. This can
+      lead to successful verification with signatures that contain invalid
+      structures but a valid digest.
+
 ### Fixed
 - [asn1] Add fallback to pretty print invalid UTF8 data.
+- [asn1] `fromDer` is now more strict and will default to ensuring all input
+  bytes are parsed or throw an error. A new option `parseAllBytes` can disable
+  this behavior.
+  - **NOTE**: The previous behavior is being changed since it can lead to
+    security issues with crafted inputs. It is possible that code doing custom
+    DER parsing may need to adapt to this new behavior and optional flag.
+- [rsa] Add and use a validator to check for proper structure of parsed ASN.1
+  `RSASSA-PKCS-v1_5` `DigestInfo` data. Additionally check that the hash
+  algorithm identifier is a known value. An invalid `DigestInfo` or algorithm
+  identifier will now cause an error to be thrown.
+
+### Added
+- [oid] Added `1.2.840.113549.2.2` / `md2` for hash algorithm checking.
 
 ## 1.2.1 - 2022-01-11
  • lib/asn1.js+18 1 modified
    @@ -411,31 +411,40 @@ var _getValueLength = function(bytes, remaining) {
  * @param [options] object with options or boolean strict flag
  *          [strict] true to be strict when checking value lengths, false to
  *            allow truncated values (default: true).
+ *          [parseAllBytes] true to ensure all bytes are parsed
+ *            (default: true)
  *          [decodeBitStrings] true to attempt to decode the content of
  *            BIT STRINGs (not OCTET STRINGs) using strict mode. Note that
  *            without schema support to understand the data context this can
  *            erroneously decode values that happen to be valid ASN.1. This
  *            flag will be deprecated or removed as soon as schema support is
  *            available. (default: true)
  *
+ * @throws Will throw an error for various malformed input conditions.
+ *
  * @return the parsed asn1 object.
  */
 asn1.fromDer = function(bytes, options) {
   if(options === undefined) {
     options = {
       strict: true,
+      parseAllBytes: true,
       decodeBitStrings: true
     };
   }
   if(typeof options === 'boolean') {
     options = {
       strict: options,
+      parseAllBytes: true,
       decodeBitStrings: true
     };
   }
   if(!('strict' in options)) {
     options.strict = true;
   }
+  if(!('parseAllBytes' in options)) {
+    options.parseAllBytes = true;
+  }
   if(!('decodeBitStrings' in options)) {
     options.decodeBitStrings = true;
   }
@@ -445,7 +454,15 @@ asn1.fromDer = function(bytes, options) {
     bytes = forge.util.createBuffer(bytes);
   }
 
-  return _fromDer(bytes, bytes.length(), 0, options);
+  var byteCount = bytes.length();
+  var value = _fromDer(bytes, bytes.length(), 0, options);
+  if(options.parseAllBytes && bytes.length() !== 0) {
+    var error = new Error('Unparsed DER bytes remain after ASN.1 parsing.');
+    error.byteCount = byteCount;
+    error.remaining = bytes.length();
+    throw error;
+  }
+  return value;
 };
 
 /**
  • lib/oids.js+1 0 modified
    @@ -47,6 +47,7 @@ _IN('1.3.14.3.2.29', 'sha1WithRSASignature');
 _IN('2.16.840.1.101.3.4.2.1', 'sha256');
 _IN('2.16.840.1.101.3.4.2.2', 'sha384');
 _IN('2.16.840.1.101.3.4.2.3', 'sha512');
+_IN('1.2.840.113549.2.2', 'md2');
 _IN('1.2.840.113549.2.5', 'md5');
 
 // pkcs#7 content types
  • lib/rsa.js+77 3 modified
    @@ -264,6 +264,40 @@ var publicKeyValidator = forge.pki.rsa.publicKeyValidator = {
   }]
 };
 
+// validator for a DigestInfo structure
+var digestInfoValidator = {
+  name: 'DigestInfo',
+  tagClass: asn1.Class.UNIVERSAL,
+  type: asn1.Type.SEQUENCE,
+  constructed: true,
+  value: [{
+    name: 'DigestInfo.DigestAlgorithm',
+    tagClass: asn1.Class.UNIVERSAL,
+    type: asn1.Type.SEQUENCE,
+    constructed: true,
+    value: [{
+      name: 'DigestInfo.DigestAlgorithm.algorithmIdentifier',
+      tagClass: asn1.Class.UNIVERSAL,
+      type: asn1.Type.OID,
+      constructed: false,
+      capture: 'algorithmIdentifier'
+    }, {
+      // NULL paramters
+      name: 'DigestInfo.DigestAlgorithm.parameters',
+      tagClass: asn1.Class.UNIVERSAL,
+      type: asn1.Type.NULL,
+      constructed: false
+    }]
+  }, {
+    // digest
+    name: 'DigestInfo.digest',
+    tagClass: asn1.Class.UNIVERSAL,
+    type: asn1.Type.OCTETSTRING,
+    constructed: false,
+    capture: 'digest'
+  }]
+};
+
 /**
  * Wrap digest in DigestInfo object.
  *
@@ -1092,25 +1126,65 @@ pki.setRsaPublicKey = pki.rsa.setPublicKey = function(n, e) {
    *          a Forge PSS object for RSASSA-PSS,
    *          'NONE' or null for none, DigestInfo will not be expected, but
    *            PKCS#1 v1.5 padding will still be used.
+   * @param options optional verify options
+   *          _parseAllDigestBytes testing flag to control parsing of all
+   *            digest bytes. Unsupported and not for general usage.
+   *            (default: true)
    *
    * @return true if the signature was verified, false if not.
    */
-  key.verify = function(digest, signature, scheme) {
+  key.verify = function(digest, signature, scheme, options) {
     if(typeof scheme === 'string') {
       scheme = scheme.toUpperCase();
     } else if(scheme === undefined) {
       scheme = 'RSASSA-PKCS1-V1_5';
     }
+    if(options === undefined) {
+      options = {
+        _parseAllDigestBytes: true
+      };
+    }
+    if(!('_parseAllDigestBytes' in options)) {
+      options._parseAllDigestBytes = true;
+    }
 
     if(scheme === 'RSASSA-PKCS1-V1_5') {
       scheme = {
         verify: function(digest, d) {
           // remove padding
           d = _decodePkcs1_v1_5(d, key, true);
           // d is ASN.1 BER-encoded DigestInfo
-          var obj = asn1.fromDer(d);
+          var obj = asn1.fromDer(d, {
+            parseAllBytes: options._parseAllDigestBytes
+          });
+
+          // validate DigestInfo
+          var capture = {};
+          var errors = [];
+          if(!asn1.validate(obj, digestInfoValidator, capture, errors)) {
+            var error = new Error(
+              'ASN.1 object does not contain a valid RSASSA-PKCS1-v1_5 ' +
+              'DigestInfo value.');
+            error.errors = errors;
+            throw error;
+          }
+          // check hash algorithm identifier
+          // FIXME: add support to vaidator for strict value choices
+          var oid = asn1.derToOid(capture.algorithmIdentifier);
+          if(!(oid === forge.oids.md2 ||
+            oid === forge.oids.md5 ||
+            oid === forge.oids.sha1 ||
+            oid === forge.oids.sha256 ||
+            oid === forge.oids.sha384 ||
+            oid === forge.oids.sha512)) {
+            var error = new Error(
+              'Unknown RSASSA-PKCS1-v1_5 DigestAlgorithm identifier.');
+            error.oid = oid;
+            throw error;
+          }
+
           // compare the given digest to the decrypted one
-          return digest === obj.value[1].value;
+          return digest === capture.digest;
         }
       };
     } else if(scheme === 'NONE' || scheme === 'NULL' || scheme === null) {
  • tests/unit/rsa.js+150 0 modified
    @@ -1,5 +1,6 @@
 var ASSERT = require('assert');
 var FORGE = require('../../lib/forge');
+var JSBN = require('../../lib/jsbn');
 var MD = require('../../lib/md.all');
 var MGF = require('../../lib/mgf');
 var PKI = require('../../lib/pki');
@@ -773,5 +774,154 @@ var UTIL = require('../../lib/util');
         });
       }
     })();
+
+    describe('bad data', function() {
+      // params for tests
+
+      // public modulus / 256 bytes
+      var N = new JSBN.BigInteger(
+        'E932AC92252F585B3A80A4DD76A897C8B7652952FE788F6EC8DD640587A1EE56' +
+        '47670A8AD4C2BE0F9FA6E49C605ADF77B5174230AF7BD50E5D6D6D6D28CCF0A8' +
+        '86A514CC72E51D209CC772A52EF419F6A953F3135929588EBE9B351FCA61CED7' +
+        '8F346FE00DBB6306E5C2A4C6DFC3779AF85AB417371CF34D8387B9B30AE46D7A' +
+        '5FF5A655B8D8455F1B94AE736989D60A6F2FD5CADBFFBD504C5A756A2E6BB5CE' +
+        'CC13BCA7503F6DF8B52ACE5C410997E98809DB4DC30D943DE4E812A47553DCE5' +
+        '4844A78E36401D13F77DC650619FED88D8B3926E3D8E319C80C744779AC5D6AB' +
+        'E252896950917476ECE5E8FC27D5F053D6018D91B502C4787558A002B9283DA7',
+        16);
+
+      // private exponent
+      var d = new JSBN.BigInteger(
+        '009b771db6c374e59227006de8f9c5ba85cf98c63754505f9f30939803afc149' +
+        '8eda44b1b1e32c7eb51519edbd9591ea4fce0f8175ca528e09939e48f37088a0' +
+        '7059c36332f74368c06884f718c9f8114f1b8d4cb790c63b09d46778bfdc4134' +
+        '8fb4cd9feab3d24204992c6dd9ea824fbca591cd64cf68a233ad0526775c9848' +
+        'fafa31528177e1f8df9181a8b945081106fd58bd3d73799b229575c4f3b29101' +
+        'a03ee1f05472b3615784d9244ce0ed639c77e8e212ab52abddf4a928224b6b6f' +
+        '74b7114786dd6071bd9113d7870c6b52c0bc8b9c102cfe321dac357e030ed6c5' +
+        '80040ca41c13d6b4967811807ef2a225983ea9f88d67faa42620f42a4f5bdbe0' +
+        '3b',
+        16);
+
+      // public exponent
+      var e = new JSBN.BigInteger('3');
+
+      // hash function
+      // H = SHA-256 (OID = 0x608648016503040201)
+
+      // message
+      var m = 'hello world!';
+
+      // to-be-signed RSA PKCS#1 v1.5 signature scheme input structure
+      // I
+
+      // signature value obtained by I^d mod N
+      // S
+
+      function _checkBadTailingGarbage(publicKey, S) {
+        var md = MD.sha256.create();
+        md.update(m);
+
+        ASSERT.throws(function() {
+          publicKey.verify(md.digest().getBytes(), S);
+        }, {
+          message: 'Unparsed DER bytes remain after ASN.1 parsing.'
+        });
+      }
+
+      function _checkBadDigestInfo(publicKey, S, skipTailingGarbage) {
+        var md = MD.sha256.create();
+        md.update(m);
+
+        ASSERT.throws(function() {
+          publicKey.verify(md.digest().getBytes(), S, undefined, {
+            _parseAllDigestBytes: !skipTailingGarbage
+          });
+        }, {
+          message: 'ASN.1 object does not contain a valid RSASSA-PKCS1-v1_5 DigestInfo value.'
+        });
+      }
+
+      it('should check DigestInfo structure', function() {
+        var publicKey = RSA.setPublicKey(N, e);
+        var S = UTIL.binary.hex.decode(
+          'e7410e05bdc38d1c72fab784be41df3d3de2ae83894d9ec86cb5fe343d5dc7d45df2a36fc60363faf32f0d37ab457648af40a48a6c53ae7af0575e92cb1ffc236d55e1325af8c71b3ac313f2630fb498b8e1546093aca1ed56026a96cb525d991159a2d6ccbfd5ef63ae718f8ace2469e357ccf3f6a048bbf9760f5fb36b9dd38fb330eab504f05078b83f5d8bd95dce8fccc6b46babd56f678300f2b39083e53e04e79f503358a6222f8dd66b561fea3a51ecf3be16c9e2ea6ba8aaed9fbe6ba510ff752e4529385f759d4d6120b15f65534248ed5bbb1307a7d0a9838329697f5fbae91f48e478dcbb77190f0d173b6cb8b1299cf4202570d25d11a7862b47');
+
+        _checkBadDigestInfo(publicKey, S);
+      });
+
+      it('should check tailing garbage and DigestInfo [1]', function() {
+        var publicKey = RSA.setPublicKey(N, e);
+        var S = UTIL.binary.hex.decode(
+          'c2ad2fa23c246ee98c453d69023e7ec05956b48bd0e287341ba9d342ad49b0fff2bcbb9adc50f1ccbfc54106305cc74a88db89ff94901a08359893a08426373e7949a8794798233445af6c48bc6ccbe278bdeb62c31e40c3bf0014af2faadcc9ed7885756789a5b95c2a355fbb3f04412f42e0f9ed335ab51af8f091a62aaaaf6577422220917daaece3ca2f4e66dc4e0574356762592052b406768c31c25cf4c1754e6da9dc3440e238c4f9b25cccc174dd1b17b027e0f9ce2763b86f0e6871690ddd018d2e774bc968c9c6e907a000daf5044ba31a0b9eefbd7b4b1ec466d20bc1dd3f020cb1091af6b476416da3024ea046b09fbbbc4d2355da9a2bc6ddb9');
+
+        _checkBadTailingGarbage(publicKey, S);
+        _checkBadDigestInfo(publicKey, S, true);
+      });
+
+      it('should check tailing garbage and DigestIfno [2]', function() {
+        var publicKey = RSA.setPublicKey(N, e);
+        var S = UTIL.binary.hex.decode(
+          'a7c5812d7fc0eef766a481aac18c8c48483daf9b5ffb6614bd98ebe4ecb746dd493cf5dd2cbe16ecaa0b52109b744930eda49316605fc823fd57a68b5b2c62e8c1b158b26e1547a2e33cdd79427d7c513f07d02261ffe43db197d8cddca2b5b43c1df85aaed6e91aadd44a46bff7f5c70f1acc1a193917e3908444632f30e69cfe95d8036d3b6ad318eefd3952804f16613c969e6d13604bb4e723dfad24c42c8d9b5b16a9f5a4b40dcf17b167d319017740f9cc0836436c14d51c3d8a697f1fa2b65196deb5c21b1559c7dea7f598007fa7320909825009f8bf376491c298d8155a382e967042db952e995d14b2f961e1b22f911d1b77895def1c7ef229c87e');
+
+        _checkBadTailingGarbage(publicKey, S);
+        _checkBadDigestInfo(publicKey, S, true);
+      });
+
+      it('should check tailing garbage and DigestInfo [e=3]', function() {
+        var N = new JSBN.BigInteger(
+          '29438513389594867490232201282478838726734464161887801289068585100507839535636256317277708295678804401391394313946142335874609638666081950936114152574870224034382561784743283763961349980806819078028975594777103388280272392844112380900374508170221075553517641170327441791034393719271744724924194371070527213991317221667249077972700842199037403799480569910844701030644322616045408039715278394572328099192023924503077673178227614549351191204851805076359472439160130994385433568113626206477097769842080459156024112389406200687233341779381667082591421496870666931268548504674362230725756397511775557878046572472650613407143');
+        var e = new JSBN.BigInteger('3');
+        var publicKey = RSA.setPublicKey(N, e);
+
+        var S = UTIL.binary.hex.decode(
+          '0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002853ccc2cd32a8d430dd3bde37e70782ac82cdb7bce3c044219b50aefd689c20d3b840299f28e2fde6c67c8a7f9e528ac222fae947a6dee0d812e3c3b3452171717396e8bedc3132d92d8317e3593642640d1431ef');
+
+        _checkBadTailingGarbage(publicKey, S);
+        _checkBadDigestInfo(publicKey, S, true);
+      });
+
+      it('should check tailing garbage and DigestInfo [e=5]', function() {
+        var N = new JSBN.BigInteger(
+          '29438513389594867490232201282478838726734464161887801289068585100507839535636256317277708295678804401391394313946142335874609638666081950936114152574870224034382561784743283763961349980806819078028975594777103388280272392844112380900374508170221075553517641170327441791034393719271744724924194371070527213991317221667249077972700842199037403799480569910844701030644322616045408039715278394572328099192023924503077673178227614549351191204851805076359472439160130994385433568113626206477097769842080459156024112389406200687233341779381667082591421496870666931268548504674362230725756397511775557878046572472650613407143');
+        var e = new JSBN.BigInteger('5');
+        var publicKey = RSA.setPublicKey(N, e);
+
+        var S = UTIL.binary.hex.decode(
+          '000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000005475fe2681d7125972bd2c2f2c7ab7b8003b03d4a487d6dee07c14eb5212a9fe0071b93f84ba5bb4b0cfaf20c976b11d902013');
+
+        _checkBadTailingGarbage(publicKey, S);
+        _checkBadDigestInfo(publicKey, S, true);
+      });
+
+      it('should check tailing garbage and DigestInfo [e=17]', function() {
+        var N = new JSBN.BigInteger(
+          '928365641661298526294114382771769657905695995680009680444002258089796055192245321020911051590379097587133341820043795407471021630328875171430160513961779154294247563032373839871165519961382202811828883364651574763124699947662060849683176689286181021501400261976653416725246403933613615758181648971537689642956474563961490989544033629566558036444831495046301215543198107208071526376318961481739278769122885031686763776874806317352741548232110892401401727195758835975800106904020775937891505819798776295294696516670437057465296389148672556848624501468669295285428387365416747516180652630054765393335211528084329716917821726670549155619986875030049107668205064454104328601041931972319966348825621299693193542460060799067674344247887198933507132592770898312271636011037138984729256515515185153334743685479709085410902269777563691615719884708908509618352792737826421059819474305949001978916949447029010362775778664826653636547333219983468955600305523140183269580452792812503399042201081785972707218144968460623663922470814889738564730816412201128810370324070680245854669130551872958017494277468722193869883705529583737211815974801292292728082721785855274147991979220001018156560009927148374995236030383474031418802554714043680969417015155298092390680188406177667101020936206754551985229636814788735090951246816765035721775759652424641736739668936540450232814857289312589998505627375553038062765493408460941597629291231866042662108291164359496334978563287523685872262509560463225096226739991402761266388226652661345282274508037924611589455395655512013078629375186805951823181371561289129616028768733583565439798508002546685505512478002960132511531323264596144585611962969372672455541953777622436993987703564293487820434112162562492086865147598436647725445230861246093950020099084994990632102506848190196407855705745530407617253129971665939853842224965079537303198339986953399517682750248394628026225887174258267456078564070387327653989505416943226163989004419377363130466566387761757272563996086708621913140580687414698126490572618509858141748692837570235128900627675422927964369356691123905362222855545719945605604307263252851081309622569225811979426856464673233875589085773616373798857001344093594417138323005260179781153950803127773817702016534081581157881295739782000814998795398671806283018844936919299070562538763900037469485135699677248580365379125702903186174995651938469412191388327852955727869345476087173047665259892129895247785416834855450881318585909376917039');
+        var e = new JSBN.BigInteger('17');
+        var publicKey = RSA.setPublicKey(N, e);
+
+        var S = UTIL.binary.hex.decode(
+          '00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001eb90acbec1bf590ba1e50960db8381fb5bdc363d46379d09956560a616b88616ce7fa4309dc45f47f5fa47d61bf66baa3d11732ce71768ded295f962');
+
+        _checkBadTailingGarbage(publicKey, S);
+        _checkBadDigestInfo(publicKey, S, true);
+      });
+
+      it('should check DigestInfo type octet [1]', function() {
+        var publicKey = RSA.setPublicKey(N, e);
+        var S = UTIL.binary.hex.decode(
+          'd8298a199e1b6ac18f3c0067a004bd9ff7af87be6ad857d73cc3d24ef06195b82aaddb0194f8e61fc31453b9163062255e8baf9c480200d0991a5f764f63d5f6afd283b9cd6afe54f0b7f738707b4eb6b8807539bb627e74db87a50413ab18e504e37975aad1edc612bc8ecad53b81ea249deb5a2acc27e6419c61ab9acec6608f5ae6a2985ba0b6f42d831bc6cce4b044864154b935cf179967d129e0ad8eda9bfbb638121c3ff13c64d439632e62250d4be928a3deb112ef76a025c5d918051e601878eac0049fc9d82be9ae3475deb7ca515c830c20b91b7bedf2184fef66aea0bde62ccd1659afbfd1342322b095309451b1a87e007e640e368fb68a13c9');
+
+        _checkBadDigestInfo(publicKey, S);
+      });
+
+      it('should check DigestInfo type octet [2]', function() {
+        var publicKey = RSA.setPublicKey(N, e);
+        var S = UTIL.binary.hex.decode(
+          'c1acdd3aef5f0439c254980295fc0d81b628df00726310a1041d79b5dd94c11d3bcaf0236763c77c25d9ab49522ed2a7d6ea3a4e483a29838acd48f2d60a790275f4cd46e4b1d09c527a426ec373e8a21746ad3ea541d3b85ba4c303ff793ea8a0a3458e93a7ec42ed66f675d7c299b0817ac95f7f45b2f48c09b3c070171f31a33ac789da9943da5dabcda1c95b42531d45484ac1efde0fe0519077debb93183e63de8f80d7f3cbfecb03cbb44ac4a2d56699e33fca0663b79ca627755fc4fc684b4ab358a0b4ac5b7e9d0cc18b6ab6300b40781502a1c03d34f31dd19d81195f8a44bc03a2595a706f06f0cb39b8e3f4afe06675fe7439b057f1200a06f4fd');
+
+        _checkBadDigestInfo(publicKey, S);
+      });
+    });
   });
 })();

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.