From 14e7d911997d33eba2893991fa0e2f507aa977f8 Mon Sep 17 00:00:00 2001 From: Weijun Wang Date: Tue, 26 Apr 2022 20:47:59 +0000 Subject: [PATCH] 8285404: RSA signature verification should reject non-DER OCTET STRING Reviewed-by: valeriep --- .../share/classes/sun/security/rsa/RSASignature.java | 4 ++++ src/java.base/share/classes/sun/security/rsa/RSAUtil.java | 3 +++ 2 files changed, 7 insertions(+) diff --git a/src/java.base/share/classes/sun/security/rsa/RSASignature.java b/src/java.base/share/classes/sun/security/rsa/RSASignature.java index 64ae7a50a01..a5969ade9b9 100644 --- a/src/java.base/share/classes/sun/security/rsa/RSASignature.java +++ b/src/java.base/share/classes/sun/security/rsa/RSASignature.java @@ -215,6 +215,10 @@ abstract class RSASignature extends SignatureSpi { byte[] digest = getDigestValue(); byte[] decrypted = RSACore.rsa(sigBytes, publicKey); byte[] unpadded = padding.unpad(decrypted); + // https://www.rfc-editor.org/rfc/rfc8017.html#section-8.2.2 + // Step 4 suggests comparing the encoded message instead of the + // decoded, but some vendors might omit the NULL params in + // digest algorithm identifier. byte[] decodedDigest = RSAUtil.decodeSignature(digestOID, unpadded); return MessageDigest.isEqual(digest, decodedDigest); } catch (javax.crypto.BadPaddingException e) { diff --git a/src/java.base/share/classes/sun/security/rsa/RSAUtil.java b/src/java.base/share/classes/sun/security/rsa/RSAUtil.java index 54fa42700c7..80bff330aa2 100644 --- a/src/java.base/share/classes/sun/security/rsa/RSAUtil.java +++ b/src/java.base/share/classes/sun/security/rsa/RSAUtil.java @@ -200,6 +200,9 @@ public class RSAUtil { if (algId.getEncodedParams() != null) { throw new IOException("Unexpected AlgorithmId parameters"); } + if (values[1].isConstructed()) { + throw new IOException("Unexpected constructed digest value"); + } byte[] digest = values[1].getOctetString(); return digest; }