Comments (5)
Thanks for your bug report.
Below is a reply from bleichen who can't access GitHub for now.
The signature that is accepted by the SUN provider is a legacy signature.
The provider is deliberately accepting the signature to be compatible with
some legacy implementation that formatted DSA signatures incorrectly.
I don't know what this legacy implementation is or whether it is still in use.
Since it is possible to generate a valid signature from the invalid one
by fixing the ASN format this does not introduce a vulnerability.
We are currently working on switching the tests to a new version that
is using a JSON file for the test vectors. Each test vector has a status
that is either "valid", "invalid" or "acceptable". The expectation is that
a library accepts all signatures that are marked as "valid", rejects
all signatures marked as "invalid" and is free to accept or reject
signatures marked as "acceptable". The signature discussed above
is marked as "acceptable".
BTW, it still makes sense to test vectors marked as "acceptable", because
they should of course not crash an implementation. For Java implementations
we additionally expect for example that verify either returns a boolean or
throws a SignatureException. E.g., so that other exceptions are a clear sign
that there is a bug in the code or configuration.
from wycheproof.
Sorry for the late reply.
It is probably possible to do some stricter checking now. When I wrote the first tests there
were too many libraries that did not care about ASN parsing, and so BER vs DER issues
had to be ignored just so that the bugs did not pass unnoticed.
I'm also working on documenting the test vectors better, so that it should be at least
possible to ignore test vectors for those cases where an implementer disagrees.
from wycheproof.
Thanks for the explanation. That makes sense so I think the issue is solved for me. It would still be useful if, in the future, those accepted modified signatures could optionally be reported (like for avoiding malleability issues) but the tests are already very useful as they are.
from wycheproof.
from wycheproof.
@bbc2 check out the flags in https://github.com/google/wycheproof/blob/master/testvectors/ecdsa_secp256r1_sha256_test.json and other JSON files.
There might be future changes, but I guess this should enough if you want to skip certain malleability tests.
Please reopen if you have any further comments or questions.
from wycheproof.
Related Issues (20)
- How to run Javascript tests?
- Minor feature request: unify JWK representations in JSON test vectors
- Make use of github actions
- No RsassaPkcs1Generate tests in testvectors_v1
- Support for ChaCha20 testvectors? HOT 9
- DsaTest.testTiming() could use a warmup HOT 3
- Zero-length KWP keys should set 'invalid' result HOT 4
- A few KW tests in v1 folder marked "acceptable" violate spec for minimum plaintext length HOT 2
- Duplicate symbol appears in alphabet for FF1 base85 test file HOT 7
- Tag in Ascon-80pq test vector is incorrect HOT 1
- ECDSA: Add recovery ID to test cases HOT 11
- Remove Java and Javascript harnesses HOT 4
- Test vector format HOT 1
- Are Google CLAs still required to contribute? HOT 1
- Is there interest for BLS related test vectors? HOT 1
- What ECDSA algorithms/parameters are relevant? HOT 6
- Transparency of the project HOT 5
- Can HKDF accept empty IKM? HOT 3
- Selecting algorithm names
- Selection of algorithms
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from wycheproof.