The OID parser allows any number of random bytes after a valid OID for a PKCS#1.5 signature. The asn1_known_oid() function just parses until it finds a leaf in the tree of known OIDs, any further data that follows is simply ignored. And the function that parses ASN.1 algorithmIdentifier structures doesn't care if the full OID data was parsed as it usually doesn't really matter. A missing check to reject junk and random key parameters allows attackers to carry out a Bleichenbacher-style attack on low-exponent keys and create forged signatures.
The OID parser allows any number of random bytes after a valid OID for a PKCS#1.5 signature. The asn1_known_oid() function just parses until it finds a leaf in the tree of known OIDs, any further data that follows is simply ignored. And the function that parses ASN.1 algorithmIdentifier structures doesn't care if the full OID data was parsed as it usually doesn't really matter. A missing check to reject junk and random key parameters allows attackers to carry out a Bleichenbacher-style attack on low-exponent keys and create forged signatures.
https://github.com/strongswan/strongswan/commit/5955db5b124a1ee5f44c0845b6e00c86fddae67c
Vulmon