-
Bug
-
Resolution: Fixed
-
P4
-
8, 9, 12, 13
-
b13
-
Verified
Issue | Fix Version | Assignee | Priority | Status | Resolution | Resolved In Build |
---|---|---|---|---|---|---|
JDK-8222303 | 12u-cpu | Ivan Gerasimov | P4 | Resolved | Fixed | master |
JDK-8222304 | 11.0.5-oracle | Ivan Gerasimov | P4 | Resolved | Fixed | b01 |
JDK-8225246 | 11.0.5 | Christoph Langer | P4 | Resolved | Fixed | b01 |
JDK-8230595 | openjdk8u232 | Martin Balao Alonso | P4 | Resolved | Fixed | b05 |
JDK-8222305 | 8u231 | Ivan Gerasimov | P4 | Resolved | Fixed | b01 |
JDK-8229621 | emb-8u231 | Ivan Gerasimov | P4 | Resolved | Fixed | b01 |
JDK-8222306 | 7u241 | Ivan Gerasimov | P4 | Resolved | Fixed | b01 |
In sun/security/ec/impl/ec.c ECDSA_SignDigestWithSeed() lines 755-760, the digest is truncated using the following code:
/* In the definition of EC signing, digests are truncated
* to the length of n in bits.
* (see SEC 1 "Elliptic Curve Digit Signature Algorithm" section 4.1.*/
if (digest->len*8 > (unsigned int)ecParams->fieldID.size) {
mpl_rsh(&s,&s,digest->len*8 - ecParams->fieldID.size);
}
However, the fieldID.size is not necessarily equal to the number of bits in the base point order, n. For example, with the standard F2M curves sect163r1 and sect283r1, the number of bits in n is one less than the field size: 162 and 282 bits, respectively. This leads to incorrect signatures when using hash algorithms that produce message digests longer than the field size.
Some cases to reproduce the issue are:
sect163r1 for ECDSA signatures using SHA 256, 384, 512
sect283r1 for ECDSA signatures using SHA 384, 512
I observed this issue when using jdk1.7.0_45, and still see the above code in the source for openjdk-8-src-b132-03_mar_2014.zip.
- backported by
-
JDK-8222303 Digest is incorrectly truncated for ECDSA signatures when the bit length of n is less than the field size
- Resolved
-
JDK-8222304 Digest is incorrectly truncated for ECDSA signatures when the bit length of n is less than the field size
- Resolved
-
JDK-8222305 Digest is incorrectly truncated for ECDSA signatures when the bit length of n is less than the field size
- Resolved
-
JDK-8222306 Digest is incorrectly truncated for ECDSA signatures when the bit length of n is less than the field size
- Resolved
-
JDK-8225246 Digest is incorrectly truncated for ECDSA signatures when the bit length of n is less than the field size
- Resolved
-
JDK-8229621 Digest is incorrectly truncated for ECDSA signatures when the bit length of n is less than the field size
- Resolved
-
JDK-8230595 Digest is incorrectly truncated for ECDSA signatures when the bit length of n is less than the field size
- Resolved
- relates to
-
JDK-8221172 SunEC specific test is not limited to SunEC
- Resolved