If signature verification throws an exception, further keys in the set will not be used to attempt verification

[GoogleCodeExporter]

To give an example what can go wrong, here is a method from RsaPublicKey.java

    @Override
    public boolean verify(ByteBuffer sig) throws KeyczarException {
      try {
        return signature.verify(sig.array(), sig.position(), sig.limit()
            - sig.position());
      } catch (GeneralSecurityException e) {
        throw new KeyczarException(e);
      }
    }

There are two relevant bugs here:
Currently the caller expects that verify returns false when the
signature is invalid.
However, when for example the size of the signature is wrong then the
JCE providers
I have tested throw a SignatureException. In this case Keyczar does
not try further key versions.

Even worse, at least the SUN provider does not implement RSA signature
verification properly.
The main problem is a sloppy implementation of the BER decoder. For example the
byte sequence 05 80 (instead of 05 00) for NULL throws a ClassCastException.
I found some other sequences that throw other runtime exceptions:
ArrayIndexOutOfBoundException, NegativeArraySizeException and
InvalidArgumentException.

Because of the 32-bit key hashes correct signatures are rejected with
a probability of about
2^(-48) hence the bugs above will be hardly occur.

Original issue reported on code.google.com by swillden@google.com on 22 Oct 2012 at 2:08

[GoogleCodeExporter]

the fix for issue 108 fixes this too.

Original comment by jtu...@gmail.com on 4 Jul 2013 at 4:34

• Added labels: ****
• Removed labels: ****