incompatibility with libxmlsec

Bug #1797101 reported by Raphael Lisicki
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
openjdk-8 (Ubuntu)
Confirmed
Undecided
Unassigned
xmlsec1 (Ubuntu)
New
Undecided
Unassigned

Bug Description

I was trying to file this bug at the openJDK bugtracker, but only developers are allowed to do so. I got redirected to file it with my distribution, so I hope that this is the right place to file this bug:

I am on Ubuntu 18.04.1 LTS and using openjdk
openjdk-8-jdk:
  Installed: 8u181-b13-0ubuntu0.18.04.1

This issue relates to the XML DSIG implementation.

I have encountered a incompatibility with the xmlsec library available at https://www.aleksey.com/xmlsec/ and also packaged in ubuntu. The issue occurs occasionally when using ECDSA.

The XML field SignatureValue contains the base64 encoded concatentation of the values r and s. The libxmlsec expects to be the signature value to be of always the same size. The JDK implementation however sometimes generates shorter signatures. The length is selected as the bigger of the two integers: https://github.com/unofficial-openjdk/openjdk/blob/531ef5d0ede6d733b00c9bc1b6b3c14a0b2b3e81/src/java.xml.crypto/share/classes/com/sun/org/apache/xml/internal/security/algorithms/implementations/ECDSAUtils.java#L75
My understanding of RFC 6931 Section 2.3.6. and also IEEE 1363 Section E.3.1 is that the length should only depend upon the respective curve and not upon the value of r and s. The line int 'rawLen = Math.max' however leads to a shorter output if both r and s contain leading zeros.

I have also opened a similar report at libxml: https://github.com/lsh123/xmlsec/issues/228

Best regards

Tags: bionic
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in openjdk-8 (Ubuntu):
status: New → Confirmed
Revision history for this message
Manuel Biscaia (mbiscaia) wrote :
tags: added: bionic
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.