
Type: Bug

Status: Closed

Priority: P4

Resolution: Fixed

Affects Version/s: 8, 9, 12, 13

Fix Version/s: 13

Component/s: securitylibs

Subcomponent:

Resolved In Build:b13

Verification:Verified
Issue  Fix Version  Assignee  Priority  Status  Resolution  Resolved In Build 

JDK8222303  12ucpu  Ivan Gerasimov  P4  Resolved  Fixed  master 
JDK8222304  11.0.5oracle  Ivan Gerasimov  P4  Resolved  Fixed  b01 
JDK8225246  11.0.5  Christoph Langer  P4  Resolved  Fixed  b01 
JDK8230595  openjdk8u232  Martin Balao  P4  Resolved  Fixed  b05 
JDK8222305  8u231  Ivan Gerasimov  P4  Resolved  Fixed  b01 
JDK8229621  emb8u231  Ivan Gerasimov  P4  Resolved  Fixed  b01 
JDK8222306  7u241  Ivan Gerasimov  P4  Resolved  Fixed  b01 
In sun/security/ec/impl/ec.c ECDSA_SignDigestWithSeed() lines 755760, the digest is truncated using the following code:
/* In the definition of EC signing, digests are truncated
* to the length of n in bits.
* (see SEC 1 "Elliptic Curve Digit Signature Algorithm" section 4.1.*/
if (digest>len*8 > (unsigned int)ecParams>fieldID.size) {
mpl_rsh(&s,&s,digest>len*8  ecParams>fieldID.size);
}
However, the fieldID.size is not necessarily equal to the number of bits in the base point order, n. For example, with the standard F2M curves sect163r1 and sect283r1, the number of bits in n is one less than the field size: 162 and 282 bits, respectively. This leads to incorrect signatures when using hash algorithms that produce message digests longer than the field size.
Some cases to reproduce the issue are:
sect163r1 for ECDSA signatures using SHA 256, 384, 512
sect283r1 for ECDSA signatures using SHA 384, 512
I observed this issue when using jdk1.7.0_45, and still see the above code in the source for openjdk8srcb13203_mar_2014.zip.
 backported by

JDK8222303 Digest is incorrectly truncated for ECDSA signatures when the bit length of n is less than the field size
 Resolved

JDK8222304 Digest is incorrectly truncated for ECDSA signatures when the bit length of n is less than the field size
 Resolved

JDK8222305 Digest is incorrectly truncated for ECDSA signatures when the bit length of n is less than the field size
 Resolved

JDK8222306 Digest is incorrectly truncated for ECDSA signatures when the bit length of n is less than the field size
 Resolved

JDK8225246 Digest is incorrectly truncated for ECDSA signatures when the bit length of n is less than the field size
 Resolved

JDK8229621 Digest is incorrectly truncated for ECDSA signatures when the bit length of n is less than the field size
 Resolved

JDK8230595 Digest is incorrectly truncated for ECDSA signatures when the bit length of n is less than the field size
 Resolved
 relates to

JDK8221172 SunEC specific test is not limited to SunEC
 Resolved