To give an example what can go wrong, here is a method from RsaPublicKey.java
@Override
public boolean verify(ByteBuffer sig) throws KeyczarException {
try {
return signature.verify(sig.array(), sig.position(), sig.limit()
- sig.position());
} catch (GeneralSecurityException e) {
throw new KeyczarException(e);
}
}
There are two relevant bugs here:
Currently the caller expects that verify returns false when the
signature is invalid.
However, when for example the size of the signature is wrong then the
JCE providers
I have tested throw a SignatureException. In this case Keyczar does
not try further key versions.
Even worse, at least the SUN provider does not implement RSA signature
verification properly.
The main problem is a sloppy implementation of the BER decoder. For example the
byte sequence 05 80 (instead of 05 00) for NULL throws a ClassCastException.
I found some other sequences that throw other runtime exceptions:
ArrayIndexOutOfBoundException, NegativeArraySizeException and
InvalidArgumentException.
Because of the 32-bit key hashes correct signatures are rejected with
a probability of about
2^(-48) hence the bugs above will be hardly occur.
Original issue reported on code.google.com by swillden@google.com on 22 Oct 2012 at 2:08
Original issue reported on code.google.com by
swillden@google.com
on 22 Oct 2012 at 2:08