Possible bug in the ASN.1 to raw signature conversion

[mschwaig]

I think I found a bug in your ASN.1 parsing logic while I was working on an open issue in the JOSESwift project.

The raw signatures need to have a fixed length, so that the recipient can know where the value of R ends and the value of S begins. In the ASN.1 format this length can vary, since the length of the numbers is explicitly encoded.

Basically this means the integers inside the ASN.1 structure can sometimes be shorter than the fixed length they need to have in the raw signature format. On the rare occasions when this happens the signature validation will fail.

I think you should be able to reproduce this issue by generating and verifying something like 10k signatures using the raw format. Some of the verifications should fail because of this issue.

I was only working and testing with the ASN1.swift file and not with your full project, so I am not submitting a PR right now, but this is the fix that worked for me in that context:

I replaced your calls to

private func dropLeadingBytes() -> Data {
    if self.count == 33 {
        return self.dropFirst()
    }
    return self
}

with calls to

private func fixOctetLength(octetLength: Int) -> Data {
    if self.count == octetLength + 1 {
        return self.dropFirst()
    }
    if self.count < octetLength {
        return Data.init(count: octetLength - self.count) + self;
    }
    return self
}

which also pads R and S if they are too short.

[ethanhuang13]

Thanks for your detailed explanation. I'll take a look after WWDC.