Some last minute changes before public announcement.

1 files changed, 67 insertions, 96 deletions

diff --git a/java/com/google/security/wycheproof/testcases/DsaTest.java b/java/com/google/security/wycheproof/testcases/DsaTest.java
index d2e4f94..e466900 100644
--- a/java/com/google/security/wycheproof/testcases/DsaTest.java
+++ b/java/com/google/security/wycheproof/testcases/DsaTest.java
@@ -15,6 +15,7 @@
  */
 
 // TODO(bleichen):
+// - add tests for signature malleability and ASN parsing.
 // - add tests for SHA1WithDSA with wrong key
 // - add tests for "alternative" algorithm names
 // - convert tests for deterministic DSA variants.
@@ -53,19 +54,6 @@ import junit.framework.TestCase;
  *
  * @author bleichen@google.com (Daniel Bleichenbacher)
  */
-// Tested providers:
-//   "SUN":
-//   - allows some alternative BER encodings of signatures
-//   - does not check whether the ASN sequence contains two elements
-//     and throws runtime exceptions when the sequence is too short.
-//   - does not support 3072 bit keys.
-//   "BC":
-//   - allows some alternaitve BER encodings
-//   - accepts signatures with additional arguments
-//   - key generation is slow, maybe because BouncyCastle tries to generate
-//     new parameters for each key.
-//   - KeyPairGenerator.getInstance("DSA") generates keys with 160 bit q
-//     independent of the size of p.
 public class DsaTest extends TestCase {
   static final String MESSAGE = "Hello";
 
@@ -123,70 +111,31 @@ public class DsaTest extends TestCase {
         + "021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8786236",
   };
 
-  // The following test vectors check for signature malleability and bugs.
-  // That means the test vectors are derived from a valid signature
-  // by modifying the ASN encoding. A correct implementation of DSA
-  // should only accept correct DER encoding and properly handle the others.
-  // Allowing alternative BER encodings is in many cases benign.
-  // An example where this kind of signature malleability was a problem
-  // https://en.bitcoin.it/wiki/Transaction_Malleability
-
   static final String[] INVALID_SIGNATURES = {
-    // encodings that were obtained by leaving some arguments out
-    "301f021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe87862" + "36",
-    "301e021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd",
-    "",
-    // encodings that were obtained by leaving some parts empty
-    "30210200021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813fe8" + "786236",
-    "3020021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd" + "0200",
-    "3000",
-    // encodings with sizes that overflow 32 or 64 bit integers
-    "30420285010000001c1e41b479ad576905b960fe14eadb91b0ccf34843dab916"
-        + "173bb8c9cd021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813f"
-        + "e8786236",
-    "3046028901000000000000001c1e41b479ad576905b960fe14eadb91b0ccf348"
-        + "43dab916173bb8c9cd021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf"
-        + "3365813fe8786236",
-    "3042021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd"
-        + "0285010000001d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813f"
-        + "e8786236",
-    "3046021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd"
-        + "028901000000000000001d00ade65988d237d30f9ef41dd424a4e1c8f16967cf"
-        + "3365813fe8786236",
-    "3085010000003d021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916"
-        + "173bb8c9cd021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813f"
-        + "e8786236",
-    "308901000000000000003d021c1e41b479ad576905b960fe14eadb91b0ccf348"
-        + "43dab916173bb8c9cd021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf"
-        + "3365813fe8786236",
-    // encodings where numbers were replace by an encoding of infinity
-    "3022090180021d00ade65988d237d30f9ef41dd424a4e1c8f16967cf3365813f" + "e8786236",
-    "3021021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd" + "090180",
-    // Signatures with special case values for r and s.
-    // E.g. r=1, s=0 are values that can lead to forgeries if the DSA implementation
-    // does not check boundaries and computes s^(-1) == 0.
-    "300402000200",
-    "30050200020101",
-    "300502000201ff",
-    "30210200021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bc" + "d5695d",
-    "30210200021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bc" + "d5695e",
-    "30210200021d0100000000000000000000000000000000000000000000000000" + "000000",
-    "30820107020002820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3b"
-        + "af3718e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85"
-        + "d011adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a9934534"
-        + "09a0fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d"
-        + "648ef883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d81"
-        + "81e7338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f80"
-        + "3b32a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b"
-        + "66ff04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342"
-        + "be484c05763939601cd667",
-    "30070200090380fe01",
-    "30050201010200",
+    // Signatures with special case values for r and s. E.g. r=1, s=0 are values that can lead to
+    // forgeries if the DSA implementation does not check boundaries and computes s^(-1) == 0.
+    "3022020100021dff450969597a870820211805983688387a10cd4dcc451a7f3f432a96a3",
+    "3006020100020101",
+    "30060201000201ff",
+    "3022020100021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d",
+    "3022020100021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e",
+    "3022020100021d0100000000000000000000000000000000000000000000000000000000",
+    "3082010802010002820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e"
+        + "3baf3718e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b"
+        + "85d011adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a99345"
+        + "3409a0fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f"
+        + "9d648ef883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d"
+        + "8181e7338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f"
+        + "803b32a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de"
+        + "4b66ff04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e3"
+        + "42be484c05763939601cd667",
+    "3008020100090380fe01",
+    "3022020101021dff450969597a870820211805983688387a10cd4dcc451a7f3f432a96a3",
     "3006020101020101",
     "30060201010201ff",
-    "3022020101021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0" + "bcd5695d",
-    "3022020101021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0" + "bcd5695e",
-    "3022020101021d01000000000000000000000000000000000000000000000000" + "00000000",
+    "3022020101021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d",
+    "3022020101021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e",
+    "3022020101021d0100000000000000000000000000000000000000000000000000000000",
     "3082010802010102820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e"
         + "3baf3718e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b"
         + "85d011adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a99345"
@@ -197,12 +146,12 @@ public class DsaTest extends TestCase {
         + "4b66ff04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e3"
         + "42be484c05763939601cd667",
     "3008020101090380fe01",
-    "30050201ff0200",
+    "30220201ff021dff450969597a870820211805983688387a10cd4dcc451a7f3f432a96a3",
     "30060201ff020101",
     "30060201ff0201ff",
-    "30220201ff021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0" + "bcd5695d",
-    "30220201ff021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0" + "bcd5695e",
-    "30220201ff021d01000000000000000000000000000000000000000000000000" + "00000000",
+    "30220201ff021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d",
+    "30220201ff021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e",
+    "30220201ff021d0100000000000000000000000000000000000000000000000000000000",
     "308201080201ff02820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e"
         + "3baf3718e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b"
         + "85d011adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a99345"
@@ -213,9 +162,11 @@ public class DsaTest extends TestCase {
         + "4b66ff04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e3"
         + "42be484c05763939601cd667",
     "30080201ff090380fe01",
-    "3021021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd569" + "5d0200",
-    "3022021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd569" + "5d020101",
-    "3022021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd569" + "5d0201ff",
+    "303e021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd569"
+        + "5d021dff450969597a870820211805983688387a10cd4dcc451a7f3f432a96a3",
+    "3022021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d020100",
+    "3022021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d020101",
+    "3022021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d0201ff",
     "303e021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd569"
         + "5d021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d",
     "303e021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd569"
@@ -232,10 +183,12 @@ public class DsaTest extends TestCase {
         + "c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff04"
         + "903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be484c"
         + "05763939601cd667",
-    "3024021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd569" + "5d090380fe01",
-    "3021021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd569" + "5e0200",
-    "3022021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd569" + "5e020101",
-    "3022021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd569" + "5e0201ff",
+    "3024021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d090380fe01",
+    "303e021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd569"
+        + "5e021dff450969597a870820211805983688387a10cd4dcc451a7f3f432a96a3",
+    "3022021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e020100",
+    "3022021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e020101",
+    "3022021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e0201ff",
     "303e021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd569"
         + "5e021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d",
     "303e021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd569"
@@ -252,10 +205,12 @@ public class DsaTest extends TestCase {
         + "c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff04"
         + "903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be484c"
         + "05763939601cd667",
-    "3024021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd569" + "5e090380fe01",
-    "3021021d01000000000000000000000000000000000000000000000000000000" + "000200",
-    "3022021d01000000000000000000000000000000000000000000000000000000" + "00020101",
-    "3022021d01000000000000000000000000000000000000000000000000000000" + "000201ff",
+    "3024021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e090380fe01",
+    "303e021d01000000000000000000000000000000000000000000000000000000"
+        + "00021dff450969597a870820211805983688387a10cd4dcc451a7f3f432a96a3",
+    "3022021d0100000000000000000000000000000000000000000000000000000000020100",
+    "3022021d0100000000000000000000000000000000000000000000000000000000020101",
+    "3022021d01000000000000000000000000000000000000000000000000000000000201ff",
     "303e021d01000000000000000000000000000000000000000000000000000000"
         + "00021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d",
     "303e021d01000000000000000000000000000000000000000000000000000000"
@@ -272,8 +227,18 @@ public class DsaTest extends TestCase {
         + "c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff04"
         + "903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be484c"
         + "05763939601cd667",
-    "3024021d01000000000000000000000000000000000000000000000000000000" + "00090380fe01",
-    "3082010702820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf37"
+    "3024021d0100000000000000000000000000000000000000000000000000000000090380fe01",
+    "3082012402820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf37"
+        + "18e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011"
+        + "adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0"
+        + "fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648e"
+        + "f883448677979cec04b434a6ac2e75e9985de23db0292fc1118c9ffa9d8181e7"
+        + "338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32"
+        + "a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff"
+        + "04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be48"
+        + "4c05763939601cd667021dff450969597a870820211805983688387a10cd4dcc"
+        + "451a7f3f432a96a3",
+    "3082010802820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf37"
         + "18e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011"
         + "adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0"
         + "fe696c4658f84bdd20819c3709a01057b195adcd00233dba5484b6291f9d648e"
@@ -281,7 +246,7 @@ public class DsaTest extends TestCase {
         + "338db792b730d7b9e349592f68099872153915ea3d6b8b4653c633458f803b32"
         + "a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff"
         + "04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be48"
-        + "4c05763939601cd6670200",
+        + "4c05763939601cd667020100",
     "3082010802820101008f7935d9b9aae9bfabed887acf4951b6f32ec59e3baf37"
         + "18e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7475b85d011"
         + "adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a993453409a0"
@@ -356,12 +321,13 @@ public class DsaTest extends TestCase {
         + "a4c2e0f27290256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea143de4b66ff"
         + "04903ed5cf1623e158d487c608e97f211cd81dca23cb6e380765f822e342be48"
         + "4c05763939601cd667090380fe01",
-    "3007090380fe010200",
+    "3024090380fe01021dff450969597a870820211805983688387a10cd4dcc451a7f3f432a96a3",
+    "3008090380fe01020100",
     "3008090380fe01020101",
     "3008090380fe010201ff",
-    "3024090380fe01021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae5" + "80c0bcd5695d",
-    "3024090380fe01021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae5" + "80c0bcd5695e",
-    "3024090380fe01021d0100000000000000000000000000000000000000000000" + "000000000000",
+    "3024090380fe01021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695d",
+    "3024090380fe01021d00baf696a68578f7dfdee7fa67c977c785ef32b233bae580c0bcd5695e",
+    "3024090380fe01021d0100000000000000000000000000000000000000000000000000000000",
     "3082010a090380fe0102820101008f7935d9b9aae9bfabed887acf4951b6f32e"
         + "c59e3baf3718e8eac4961f3efd3606e74351a9c4183339b809e7c2ae1c539ba7"
         + "475b85d011adb8b47987754984695cac0e8f14b3360828a22ffa27110a3d62a9"
@@ -421,6 +387,11 @@ public class DsaTest extends TestCase {
         VALID_SIGNATURES, publicKey1, "Hello", "SHA224WithDSA", "Valid DSA signature", true);
   }
 
+  public void testInvalidSignatures() throws Exception {
+    testVectors(
+        INVALID_SIGNATURES, publicKey1, "Hello", "SHA224WithDSA", "Invalid DSA signature", false);
+  }
+
   // Extract the integer r from a DSA signature.
   // This method implicitely assumes that the DSA signature is DER encoded.
   BigInteger extractR(byte[] signature) throws Exception {