Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Test PGPSignatures with LegacyEd25519 keys with short MPIs #1706

Closed
wants to merge 1 commit into from
Closed

Test PGPSignatures with LegacyEd25519 keys with short MPIs #1706

wants to merge 1 commit into from

Conversation

vanitasvitae
Copy link
Contributor

With legacy ed25519 we need to detect the curve (curve25519 / curve448) based on the length of the encoding (see #1675, most notably 105dbef).

However, I noticed, that some ed25519 signatures MPIs are shorter than the expected 2*32 octets (leading 0s), resulting in the code misinterpreting the signature as an ed448 signature. This in turn causes signature verification failures for good signatures.

This patch catches this edge case by allowing short MPIs.

vanitasvitae
vanitasvitae commented Jun 12, 2024
View reviewed changes
pg/src/main/java/org/bouncycastle/openpgp/PGPSignature.java Outdated
@@ -455,7 +455,7 @@ else if (getKeyAlgorithm() == PublicKeyAlgorithmTags.EDDSA_LEGACY)
{
byte[] a = BigIntegers.asUnsignedByteArray(sigValues[0].getValue());
byte[] b = BigIntegers.asUnsignedByteArray(sigValues[1].getValue());
if (a.length + b.length == Ed25519.SIGNATURE_SIZE)
Copy link
Contributor Author

@vanitasvitae vanitasvitae Jun 12, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Here, a.length or b.length could be 31 instead of the the expected 32.
Since Ed25519 signatures are shorter than Ed448 signatures, the new comparison should hold.

@vanitasvitae
Copy link
Contributor Author

The test vector (see as PGP packet here) demonstrates the issue by having a short 31-octet r value.

@vanitasvitae vanitasvitae force-pushed the fixEd25519SignatureParsing branch 2 times, most recently from 4894655 to 32ecff8 Compare August 8, 2024 10:24
@vanitasvitae
Copy link
Contributor Author

Fix is already part of main, so I reduced the PR to only contain the test.

@vanitasvitae vanitasvitae changed the title Fix PGPSignatures with LegacyEd25519 keys with short MPIs Test PGPSignatures with LegacyEd25519 keys with short MPIs Aug 22, 2024
hubot pushed a commit that referenced this pull request Sep 11, 2024
#1706 Test PGPSignatures with LegacyEd25519 keys with short MPIs
7624607
hubot pushed a commit that referenced this pull request Sep 11, 2024
@dghgit
Merge branch '1706-pgpsignaure-legacy-ed25519-short-mpis' into 'main'
c51be49 
#1706 Test PGPSignatures with LegacyEd25519 keys with short MPIs

See merge request root/bc-java!31
@vanitasvitae
Copy link
Contributor Author

In main as c51be49

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ligefeiBouncycastle ligefeiBouncycastle Awaiting requested review from ligefeiBouncycastle

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@vanitasvitae @jill-kleiber