changeset 12069:a956a914f3a4

8161571: Verifying ECDSA signatures permits trailing bytes Reviewed-by: xuelei
author igerasim
date Wed, 23 Nov 2016 11:41:41 +0300
parents 8e1d25cbf58e
children 31dae74ad077
files src/share/classes/sun/security/ec/ECDSASignature.java src/share/classes/sun/security/pkcs11/P11Signature.java src/share/classes/sun/security/provider/DSA.java test/java/security/Signature/SignatureLength.java
diffstat 4 files changed, 124 insertions(+), 3 deletions(-) [+]
line wrap: on
line diff
--- a/src/share/classes/sun/security/ec/ECDSASignature.java	Mon Nov 28 13:52:41 2016 -0800
+++ b/src/share/classes/sun/security/ec/ECDSASignature.java	Wed Nov 23 11:41:41 2016 +0300
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2009, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2009, 2016, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -25,6 +25,7 @@
 
 package sun.security.ec;
 
+import java.io.IOException;
 import java.nio.ByteBuffer;
 import java.math.BigInteger;
 
@@ -370,6 +371,11 @@
             DerValue[] values = in.getSequence(2);
             BigInteger r = values[0].getPositiveBigInteger();
             BigInteger s = values[1].getPositiveBigInteger();
+
+            // Check for trailing signature data
+            if (in.available() != 0) {
+                throw new IOException("Incorrect signature length");
+            }
             // trim leading zeroes
             byte[] rBytes = trimZeroes(r.toByteArray());
             byte[] sBytes = trimZeroes(s.toByteArray());
--- a/src/share/classes/sun/security/pkcs11/P11Signature.java	Mon Nov 28 13:52:41 2016 -0800
+++ b/src/share/classes/sun/security/pkcs11/P11Signature.java	Wed Nov 23 11:41:41 2016 +0300
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003, 2014, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2016, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -711,6 +711,11 @@
             DerValue[] values = in.getSequence(2);
             BigInteger r = values[0].getPositiveBigInteger();
             BigInteger s = values[1].getPositiveBigInteger();
+
+            // Check for trailing signature data
+            if (in.available() != 0) {
+                throw new IOException("Incorrect signature length");
+            }
             byte[] br = toByteArray(r, 20);
             byte[] bs = toByteArray(s, 20);
             if ((br == null) || (bs == null)) {
@@ -730,6 +735,11 @@
             DerValue[] values = in.getSequence(2);
             BigInteger r = values[0].getPositiveBigInteger();
             BigInteger s = values[1].getPositiveBigInteger();
+
+            // Check for trailing signature data
+            if (in.available() != 0) {
+                throw new IOException("Incorrect signature length");
+            }
             // trim leading zeroes
             byte[] br = KeyUtil.trimZeroes(r.toByteArray());
             byte[] bs = KeyUtil.trimZeroes(s.toByteArray());
--- a/src/share/classes/sun/security/provider/DSA.java	Mon Nov 28 13:52:41 2016 -0800
+++ b/src/share/classes/sun/security/provider/DSA.java	Wed Nov 23 11:41:41 2016 +0300
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1996, 2015, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2016, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -273,6 +273,10 @@
             r = values[0].getBigInteger();
             s = values[1].getBigInteger();
 
+            // Check for trailing signature data
+            if (in.available() != 0) {
+                throw new IOException("Incorrect signature length");
+            }
         } catch (IOException e) {
             throw new SignatureException("invalid encoding for signature");
         }
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/java/security/Signature/SignatureLength.java	Wed Nov 23 11:41:41 2016 +0300
@@ -0,0 +1,101 @@
+/*
+ * Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+import java.security.*;
+
+/*
+ * @test
+ * @bug 8161571
+ * @summary Reject signatures presented for verification that contain extra
+ *          bytes.
+ * @run main SignatureLength
+ */
+public class SignatureLength {
+
+    public static void main(String[] args) throws Exception {
+        main0("EC", 256, "SHA256withECDSA", "SunEC");
+        main0("RSA", 2048, "SHA256withRSA", "SunRsaSign");
+        main0("DSA", 2048, "SHA256withDSA", "SUN");
+
+        if (System.getProperty("os.name").equals("SunOS")) {
+            main0("EC", 256, "SHA256withECDSA", null);
+            main0("RSA", 2048, "SHA256withRSA", null);
+        }
+    }
+
+    private static void main0(String keyAlgorithm, int keysize,
+            String signatureAlgorithm, String provider) throws Exception {
+        byte[] plaintext = "aaa".getBytes("UTF-8");
+
+        // Generate
+        KeyPairGenerator generator =
+            provider == null ?
+                (KeyPairGenerator) KeyPairGenerator.getInstance(keyAlgorithm) :
+                (KeyPairGenerator) KeyPairGenerator.getInstance(
+                                       keyAlgorithm, provider);
+        generator.initialize(keysize);
+        System.out.println("Generating " + keyAlgorithm + " keypair using " +
+            generator.getProvider().getName() + " JCE provider");
+        KeyPair keypair = generator.generateKeyPair();
+
+        // Sign
+        Signature signer =
+            provider == null ?
+                Signature.getInstance(signatureAlgorithm) :
+                Signature.getInstance(signatureAlgorithm, provider);
+        signer.initSign(keypair.getPrivate());
+        signer.update(plaintext);
+        System.out.println("Signing using " + signer.getProvider().getName() +
+            " JCE provider");
+        byte[] signature = signer.sign();
+
+        // Invalidate
+        System.out.println("Invalidating signature ...");
+        byte[] badSignature = new byte[signature.length + 5];
+        System.arraycopy(signature, 0, badSignature, 0, signature.length);
+        badSignature[signature.length] = 0x01;
+        badSignature[signature.length + 1] = 0x01;
+        badSignature[signature.length + 2] = 0x01;
+        badSignature[signature.length + 3] = 0x01;
+        badSignature[signature.length + 4] = 0x01;
+
+        // Verify
+        Signature verifier =
+            provider == null ?
+                Signature.getInstance(signatureAlgorithm) :
+                Signature.getInstance(signatureAlgorithm, provider);
+        verifier.initVerify(keypair.getPublic());
+        verifier.update(plaintext);
+        System.out.println("Verifying using " +
+            verifier.getProvider().getName() + " JCE provider");
+
+        try {
+            System.out.println("Valid? " + verifier.verify(badSignature));
+            throw new Exception(
+                "ERROR: expected a SignatureException but none was thrown");
+        } catch (SignatureException e) {
+            System.out.println("OK: caught expected exception: " + e);
+        }
+        System.out.println();
+    }
+}