Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Correct padding when extracting r and s components of the DER encoded EC signature #56

Merged
merged 4 commits into from
Feb 29, 2024
Merged

Correct padding when extracting r and s components of the DER encoded EC signature #56

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
8db30c7
test for invalid signature using EC521
spwitt Feb 27, 2024
af79d25
Fix padding when extracting the r and s components of the EC signatur…
robotdan Feb 28, 2024
0cff1e0
Add additional copy to explain the padding that we may encounter when…
robotdan Feb 29, 2024
2af293d
rename len to componentLength
robotdan Feb 29, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions fusionauth-jwt.iml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@
</CLASSES>
<JAVADOC />
<SOURCES>
<root url="jar://$MODULE_DIR$/.savant/cache/com/fasterxml/jackson/core/jackson-databind/2.15.2/jackson-databind-2.15.2-sources.jar!/" />
<root url="jar://$MODULE_DIR$/.savant/cache/com/fasterxml/jackson/core/jackson-databind/2.15.2/jackson-databind-2.15.2-src.jar!/" />
</SOURCES>
</library>
</orderEntry>
Expand All @@ -31,7 +31,7 @@
</CLASSES>
<JAVADOC />
<SOURCES>
<root url="jar://$MODULE_DIR$/.savant/cache/com/fasterxml/jackson/core/jackson-annotations/2.15.2/jackson-annotations-2.15.2-sources.jar!/" />
<root url="jar://$MODULE_DIR$/.savant/cache/com/fasterxml/jackson/core/jackson-annotations/2.15.2/jackson-annotations-2.15.2-src.jar!/" />
</SOURCES>
</library>
</orderEntry>
Expand All @@ -42,7 +42,7 @@
</CLASSES>
<JAVADOC />
<SOURCES>
<root url="jar://$MODULE_DIR$/.savant/cache/com/fasterxml/jackson/core/jackson-core/2.15.2/jackson-core-2.15.2-sources.jar!/" />
<root url="jar://$MODULE_DIR$/.savant/cache/com/fasterxml/jackson/core/jackson-core/2.15.2/jackson-core-2.15.2-src.jar!/" />
</SOURCES>
</library>
</orderEntry>
Expand Down
17 changes: 12 additions & 5 deletions src/main/java/io/fusionauth/jwt/ec/ECDSASignature.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
* Copyright (c) 2018-2019, FusionAuth, All Rights Reserved
* Copyright (c) 2018-2024, FusionAuth, All Rights Reserved
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
Expand Down Expand Up @@ -86,10 +86,17 @@ public byte[] derDecode(Algorithm algorithm) throws IOException {
}

int len = result.length / 2;
//noinspection ManualMinMaxCalculation
System.arraycopy(r, r.length > len ? 1 : 0, result, r.length < len ? 1 : 0, r.length > len ? len : r.length);
//noinspection ManualMinMaxCalculation
System.arraycopy(s, s.length > len ? 1 : 0, result, s.length < len ? (len + 1) : len, s.length > len ? len : s.length);

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Add a comment for these after they are cleaned up about offsetting the destination position for left padding when r or s is shorter than 66 bytes in the ES512 case.

Do we know whether it only happens with that algorithm? Or just that we have never seen it with another?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It can occur in any algorithm in theory. In my testing, I could get r and s src and dst positions to be greater than 0 for all three algorithms.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Okay. The updated code seems good then. I still think there should be a comment about how these changes account for left padding with 0s in both the source and destination byte arrays.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

❤️

int rSrcPos = r.length > len ? (r.length - len) : 0;
spwitt marked this conversation as resolved.
Show resolved Hide resolved
int rDstPos = Math.max(0, len - r.length);
int rLength = Math.min(r.length, len);
System.arraycopy(r, rSrcPos, result, rDstPos, rLength);
spwitt marked this conversation as resolved.
Show resolved Hide resolved

int sSrcPos = s.length > len ? (s.length - len) : 0;
int sDstPos = s.length < len ? (len + (len - s.length)) : len;
int sLength = Math.min(s.length, len);
System.arraycopy(s, sSrcPos, result, sDstPos, sLength);

return result;
}

Expand Down
20 changes: 14 additions & 6 deletions src/test/java/io/fusionauth/jwt/JWTTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
* Copyright (c) 2016-2022, FusionAuth, All Rights Reserved
* Copyright (c) 2016-2024, FusionAuth, All Rights Reserved
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
Expand Down Expand Up @@ -742,8 +742,10 @@ public void test_expiration_clockSkew() {
assertEquals(actual.subject, "1234567890");
}

@Test
@Test(invocationCount = 2_000)
public void test_external_ec_521() {
// The purpose of the large invocation is to ensure we are consistently extracting the r and s components of the DER encoded signature.
// - Performing this test 1-3k times is generally sufficient to produce at least 1-3 errors prior to fixing the bug.
JWT jwt = new JWT()
.setSubject("1234567890")
.addClaim("name", "John Doe")
Expand Down Expand Up @@ -778,8 +780,10 @@ public void test_external_ec_521() {
assertEquals(actual.subject, jwt.subject);
}

@Test
@Test(invocationCount = 2_000)
public void test_external_ec_p256() {
// The purpose of the large invocation is to ensure we are consistently extracting the r and s components of the DER encoded signature.
// - Performing this test 1-3k times is generally sufficient to produce at least 1-3 errors prior to fixing the bug.
JWT jwt = new JWT()
.setSubject("1234567890")
.addClaim("name", "John Doe")
Expand All @@ -806,8 +810,10 @@ public void test_external_ec_p256() {
assertEquals(actual.subject, jwt.subject);
}

@Test
@Test(invocationCount = 2_000)
public void test_external_ec_p384() {
// The purpose of the large invocation is to ensure we are consistently extracting the r and s components of the DER encoded signature.
// - Performing this test 1-3k times is generally sufficient to produce at least 1-3 errors prior to fixing the bug.
JWT jwt = new JWT()
.setSubject("1234567890")
.addClaim("name", "John Doe")
Expand Down Expand Up @@ -887,7 +893,7 @@ public void test_multipleSignersAndVerifiers() throws Exception {
verifiers.put("verifier2", verifier2);
verifiers.put("verifier3", verifier3);

// decode all of the encoded JWTs and ensure they come out the same.
// decode all the encoded JWTs and ensure they come out the same.
JWT jwt1 = JWT.getDecoder().decode(encodedJWT1, verifiers);
JWT jwt2 = JWT.getDecoder().decode(encodedJWT2, verifiers);
JWT jwt3 = JWT.getDecoder().decode(encodedJWT3, verifiers);
Expand Down Expand Up @@ -965,8 +971,10 @@ public void test_openssl_keys_p_256() {
assertEquals(actual.subject, jwt.subject);
}

@Test
@Test(invocationCount = 2_000)
public void test_openssl_keys_p_521() {
// The purpose of the large invocation is to ensure we are consistently extracting the r and s components of the DER encoded signature.
// - Performing this test 1-3k times is generally sufficient to produce at least 1-3 errors prior to fixing the bug.
JWT jwt = new JWT()
.setSubject("1234567890")
.addClaim("name", "John Doe")
Expand Down
Loading