Implement RSA verification

[Amxx]

Fix LIB-1238

Work in progress. Based on https://github.com/adria0/SolRsaVerify

Tests:

• parse SigVer15_186-3.rsp from here and automatically run all test examples.
• also run two extra tests from https://github.com/adria0/SolRsaVerify

For now, only sha256 is supported. @nobles/hash provides all the function we need to generate the digest, and SigVer15_186-3.rsp contains more tests.

Do we want to support more?

PR Checklist

• Tests
• Documentation
• Changeset entry (run npx changeset add)

[changeset-bot]

🦋 Changeset detected

Latest commit: f50d89a

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package

Name	Type
openzeppelin-solidity	Minor

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[ernestognw]

Managed to navigate through RFC 8017 and mostly looks good.

[ernestognw]

I guess we reject length less than 0x40 because it wouldn't be secure. I wonder if 0x40 was arbitrarily chosen. If so, we need to evaluate it carefully, as far as I remember, RSA's security is p * q so a 512 bits signature is crackable in reasonable time.

Found this as a reference, but seems like 512 bits (0x40 bytes) signatures are pretty much broken.
https://github.com/tomrittervg/cloud-and-control/blob/master/gnfs-info/factoring-howto.txt

RFC 3447 is from 2003 and was superseded by RFC 8017, though, I couldn't find a recommendation for the mod length. Allegedly, 512 bits security was first broken in 1999, so my estimations say that we might increase this to 0x80 at least.

Needs discussion

[ernestognw]

I took the freedom of renaming the functions since one that receives a bytes32 digest is not exclusively sha256 as far as I can tell. Theoretically, a user can sign with RSA using any digest they like.

Similarly, I renamed the function arguments to match those referenced in RFC 8017. I think it's cleaner

For now, only sha256 is supported. @nobles/hash provides all the function we need to generate the digest, and SigVer15_186-3.rsp contains more tests.

Do we want to support more?

Honestly, I don't think so, we'd require to adjust the param checks according to the length of the digest since we're counting backward to get the digest and allow optional digest info parameters.

I'm marking this as ready for review since I think it's already good enough and I already feel comfortable with its security.

[ernestognw]

In my opinion, I think the last thing to resolve is whether to restrict n to have a minimum length or not. I added a note (probably should be a warning) suggesting that no key with length less than 2048 bits should be used.

If we don't find a reason to continue allowing smaller lengths, then I'd advocate for restricting the function.

Aside from that, we need to cover the missing test cases (should be trivial) and it'll be good to go

[cairoeth]

this test is actually not reverting at the modExp step, but instead here because of sp > np. is there a way we can have more accurate checks when the return data is a boolean? maybe by measuring gas?

[Amxx]

It feels like the only way for modExp to fail is if mod = 0. If we check that s < n, then we know that n > 0, and there may be no way for modExp to fail.

[ernestognw]

Added some docs as well. LGTM.

I'd wait for a second approval.

[cairoeth]

lgtm -- @ernestognw: I added a replay protection notice on the docs page

[ernestognw]

lgtm -- @ernestognw: I added a replay protection notice on the docs page

Thanks, looking good. Approving again