RSAKey verify error (PKCS#1 unpad: i=0, expected b[i]==[0,1,2]) about as3crypto HOT 10 OPEN

Perhaps this is caused by the same problem causing defect #27
Are you running 64bit flash?

As far as I know I'm not running it in 64-bit mode.  This is happening on a mac
running Leopard.

I'm having the same problem trying to use the verify function.  I'm running 32 
bit
debug flash on a windows machines, and I've implemented the fix for #27 just in 
case. 

I'm pretty sure that isn't the issue here.

I bashed my head against this for a while and figured out the problem I was 
getting:
I was generating the signature in php and writing it to a file, and I needed to
base_64 encode it first.

in php:
openssl_sign($text, $signature, $private_key);
$signature= base64_encode($signature);

then in flash:
var src:ByteArray =Base64.decodeToByteArray(signature);
var dst:ByteArray = new ByteArray();
verifier.verify(src, dst, src.length);

If you're using a pre generated certificate, there's probably a good chance 
that you
have a similar formatting problem.  Your signature should consist mainly of 
letters
and numbers :
UyaNH1l7O+V5kDGGWlGTapTVREXAHbgGDSiZ7gnSTVAetu43wH6yGa6Hzpb7BHq4sx9vPDHcHHtqnnpZ
BYS8KQ==

and not be something like this:
ÒMP¶î7À~²®Îûz¸³o<1Ü{jzY iY{;åy1ZQjÕDEÀ¸


I'm still working on getting everything to work properly, but I'm no longer 
getting
"PKCS#1 unpad: i=0, expected b[i]==[0,1,2], got b[i]=51" errors from 
RSAKey.verify

It may be worth checking out this 
http://ria101.wordpress.com/2010/06/04/as3crypto-rsa-padding-function-
returned-null-bug-of-death-fix/

In case someone else has the same problem, my test case was :

var data : ByteArray = new ByteArray;
for ( var k : int = 0 ; k < 25000 ; k++ )
    data.writeUnsignedInt( uint.MAX_VALUE * Math.random() ); 
var sha : SHA256 = new SHA256();
var hash : ByteArray = sha.hash( data );
var rsa : RSAKey = RSAKey.generate( 512, "0x10001" );
var signature : ByteArray = new ByteArray;
rsa.sign( hash, signature, hash.length );
var output : ByteArray = new ByteArray;
rsa.verify( signature, output, signature.length );

After a few hours trying to adjust the padding functions, I ran through the 
demo code and saw that the second argument of RSAKey.generate take a non 
standard hex string "10001 instead of "0x10001".

So i just changed :
var rsa : RSAKey = RSAKey.generate( 512, "0x10001" );
To :
var rsa : RSAKey = RSAKey.generate( 512, "10001" );
And everything worked perfectly.

I felt ashamed for a moment but finally I think the real problem is the missing 
documentation. I don't know if it will solve your problem but it can help 
someone else.

Adding some data to this issue. I've been taking a second shot at trying to 
figure it out, but I think the issue may be in the BigInteger class which is a 
little too complicated for me.

The cert I'm trying to use in my application is signed by DigiCert using a cert 
of their's with the subject:
"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance CA-3"

I've attached the PEM-encoded cert which I used to generate the block I needed 
to add to MozillaRootCertificates.as (DigiCertHighAssuranceCA-3.pem). The cert 
was exported from Firefox. To get the C code used in the parsing tool 
grabRootCAs.pl, I used the command:

> openssl x509 -in DigiCertHighAssuranceCA-3.pem -inform PEM -C

I then used the hex-encoded subject_name variable and performed the 
transformation done in grabRootCAs.pl to come up with a subject value of:

MGYxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdp
Y2VydC5jb20xJTAjBgNVBAMTHERpZ2lDZXJ0IEhpZ2ggQXNzdXJhbmNlIENBLTM=

The addPEMCertificate call is in the DigiCert CA-3.txt file.

Once this was complete, I tried connecting to a TLS socket which uses a cert 
signed using the certificate I just added. When the code is trying to call 
RSAKey.verify on the RSA key in the DigiCert CA-3 certificate, it fails:

PKCS#1 unpad: i=0, expected b[i]==1, got b[i]=5e
TLSEngine shutdown triggered by Error: Decrypt error - padding function 
returned null!

I have exactly the same issue using an Entrust L1C cert, chained off the 
Entrust 2048 root.

Perhaps this is related to some kind of cert chaining issue?
Tracking though the code finally gets me to the failing unpad function where is 
appears that the result of the decrypt has resulted in a horribly broken 
BigInteger value.

Does anyone have any further insight?

Hi,

I have found the issue and attached a diff that will fix this against the 1.3 
branch.

In short the issue is related to chained certs:

isSelfSigned() is broken. The pad function breaks (as it should) but this is 
incorrectly handled. This should fail gracefully allowing the code in 
isSigned() to chain to the next cert.

Just tried this and it looks like it works for my cert as well. Currently using 
the svn checkout version of the library, so had to make some small changes in 
the diff.

Thanks for posting this!