RFR: 8302017: Allocate BadPaddingException only if it will be thrown [v2]
Ferenc Rakoczi
duke at openjdk.org
Thu Jul 13 10:01:04 UTC 2023
On Thu, 13 Jul 2023 04:35:31 GMT, Xue-Lei Andrew Fan <xuelei at openjdk.org> wrote:
>> Valerie Peng has updated the pull request incrementally with one additional commit since the last revision:
>>
>> Address review feedbacks, e.g. Removed RSAPadding.Output and use byte[] as before.
>
> src/java.base/share/classes/sun/security/rsa/RSASignature.java line 231:
>
>> 229: RSAUtil.decodeSignature(digestOID, unpadded));
>> 230: }
>> 231: }
>
> I understand where the fallback code came from. As the padding code is exactly the same as engineSign(), the risk may be minimal. With the fallback code, the security concern (time-constant) we cared about will come back. Did you run into testing failure without the fallback doe?
Instead of falling back to unpad()/decodeSignature() I suggest to try a new version of encodeSignature() in which you omit putting the null for params into the DER encoding and compare the decrypted message with that, too. Accept if any of the two encodings matches the decrypted one, reject otherwise. This can be done in constant time, although it is not necessary to be constant time as the time of doing it does not depend on any secret.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/14839#discussion_r1262326648
More information about the security-dev
mailing list