What were you trying to do that didn't work?

libgcrypt does not correctly pad RSASSA-PKCS1-v1_5 signatures that use SHA3.

Please provide the package NVR for which bug is seen:

master@3abac420b30ad4aeef803b23995303ac6bb563fa

How reproducible:

Run the attached reproducer with sha3-224, sha3-256, sha3-384, or sha3-512 as argument (the same problem occurs with shake128 or shake256, but the reproducer cannot show that.

Steps to reproduce

1. gcc -std=c99 -Wall -Werror -pedantic -o test test.c -lgcrypt
2. ./test sha3-256 | sed 1d | sed -E 's/01(ff)*00//' | xxd -ps -r | openssl asn1parse -inform DER

• sed 1d removes the first line of output, which is the signature in hex
• sed -E 's/01(ff)*00//' removes the PKCS#1 padding
• xxd -ps -r converts the hex output to binary
• openssl asn1parse -inform DER attempts to parse the resulting ASN.1
• As an alternative to openssl asn1parse, other asn1parsers such as der2ascii can also be used

Expected results

The output is valid and the expected SHA3 OIDs are used

Actual results

The output is invalid because it is not valid ASN.1. The SHA3 OIDs are not used.