Age | Commit message (Collapse) | Author |
|
|
|
|
|
PiperOrigin-RevId: 616253146
|
|
COPYBARA_INTEGRATE_REVIEW=https://github.com/google/wycheproof/pull/95 from 0o001:0o001-patch-1 080532d0b11cbda66679e699379fed47165bebac
PiperOrigin-RevId: 616242185
|
|
PiperOrigin-RevId: 616234753
|
|
PiperOrigin-RevId: 616210032
|
|
PiperOrigin-RevId: 616171757
|
|
|
|
PiperOrigin-RevId: 615447588
|
|
PiperOrigin-RevId: 602941791
|
|
Resolves #101.
|
|
PiperOrigin-RevId: 579244139
|
|
`$ copybara third_party/java_src/jose4j/copy.bara.sky default --force --piper-description-behavior OVERWRITE -- jose4j-0.9.3`
This CL drops the Google-internal patch for `RSA1_5` padding oracle mitigations. It also gets us to the most recent version (finally!). After this, we should register this project for copybara as a service so updates happen monthly (when available).
#MIGRATION_3P_JAVA_SRC_JOSE4J__DEFAULT
- aabcf0bdde392a6d7ef1fd5a12549f1a3fcbe319 [maven-release-plugin] prepare release jose4j-0.9.2 by Brian Campbell <brian.d.campbell@gmail.com>
- dad416151f06bcffb8ffc1a2c31b1fe741c29256 [maven-release-plugin] prepare for next development itera... by Brian Campbell <brian.d.campbell@gmail.com>
- 1929fe30cfa769bf4deba89928653da028cb72e5 PBES2 - disallow iteration count < 1000 (Issue #203) and ... by Brian Campbell <brian.d.campbell@gmail.com>
- 14e62a8dee9decb4ff6e0625aedc5724601bfdb6 Addtional controls around RSAES-PKCS1-v1_5 including addi... by Brian Campbell <brian.d.campbell@gmail.com>
- 63b86581e7bfcc2d9d04ee15caea4b5bfb911f59 Additional controls around RSAES-PKCS1-v1_5 including add... by Brian Campbell <brian.d.campbell@gmail.com>
- 0aad8fc75d599a049bba2b3a75f5bcba1009cfaf [maven-release-plugin] prepare release jose4j-0.9.3 by Brian Campbell <brian.d.campbell@gmail.com>
NOKEYCHECK=True
PiperOrigin-RevId: 577462443
|
|
`$ copybara third_party/java_src/jose4j/copy.bara.sky default --force --piper-description-behavior OVERWRITE -- jose4j-0.8.0`
Kept security patch in org/jose4j/jwe/WrappingKeyManagementAlgorithm.java for padding oracle. That's fixed at 0.9.3 (but we can't go past 0.8.0 due to missing Java language features). Unsuppressed a Wycheproof test that was testing for bad EC validation behavior which is now fixed.
#MIGRATION_3P_JAVA_SRC_JOSE4J__DEFAULT
- ff6d6c2ee7b94ca5e1ee9c17b4647938110bd07d two ampersands are better than one fixes Issue #190 by Brian Campbell <brian.d.campbell@gmail.com>
- f8738d73a5c8337b61aa7cfa08f006b87342fcb8 JsonWebSignature's payload and encoded payload could get ... by Brian Campbell <brian.d.campbell@gmail.com>
- 68a50429f9285e079749956ff2ff4fff8f9d7d7e fix typo in javadoc by Brian Campbell <brian.d.campbell@gmail.com>
- 4c73787c94e8f77f9ed1dec61eb6df20f7cd29fc Disable http servers/proxies cache when calling JWKS by Khaled Hamlaoui <khaled.hamlaoui@renault.com>
- 2e32fa33633a0687282c2581b9a93c7802164ca5 Remove the option: disable server side cache using randon... by Khaled Hamlaoui <khaled.hamlaoui@renault.com>
- fa31af5ebfd7c81ebce79d4a635726ac1303b3d0 Restore imports by Khaled Hamlaoui <khaled.hamlaoui@renault.com>
- af33380bf566f72c6054622ae9b8e62a90f5989e Remove the cache support of servers using http 1.0 by Khaled Hamlaoui <khaled.hamlaoui@renault.com>
- d68c33cab8e9480d01391f51e7e5e51a7d950848 get the javadoc errors to stop by Brian Campbell <brian.d.campbell@gmail.com>
- 5eaa19a3e773e5eb32cf2186e01e12b9ddf4920c Add JWK Thumbprint URI support by David Waite <dwaite@pingidentity.com>
- 5172d65378a4e270428ee439900e6b22c3c9afed Reject messages that contain private keys in JOSE headers... by Brian Campbell <brian.d.campbell@gmail.com>
- 37957685cb27d71f55b13695572b3ea0a4a04013 ugh, forgot there was getJwkHeaderValue too by Brian Campbell <brian.d.campbell@gmail.com>
- 0f60487b67587bd3f9ecc9f1c8cea61fb205566a Do some pre-checks before calling the crypto provider to ... by Brian Campbell <brian.d.campbell@gmail.com>
- c350a58942bb29e019097a6ab455918ca5b8beb4 Throw a checked exception from new EllipticCurveJsonWebKe... by Brian Campbell <brian.d.campbell@gmail.com>
- 93c585f1f3807eee76c114fce601ec614d8c4242 Tidy up the JsonWebKeySet debug logging when an individua... by Brian Campbell <brian.d.campbell@gmail.com>
- 1b933223c4976158a74711eb8c20343b8af6a7ad add some better context and fix some spelling in logging by Brian Campbell <brian.d.campbell@gmail.com>
- 135cd1b9530fe93b59d3f5298e3561e91c15b1d7 InvalidKeyException rather than JoseException for ECDH in... by Brian Campbell <brian.d.campbell@gmail.com>
- 6436f76f5a667c88e1aea9225084f1135deeed9d add support for the ES256K JWS alg (ECDSA using secp256k1... by Brian Campbell <brian.d.campbell@gmail.com>
NOKEYCHECK=True
PiperOrigin-RevId: 572422528
|
|
For reference, here's the initial set of providers:
```
[SUN, SunRsaSign, SunEC, SunJSSE, SunJCE, SunJGSS, SunSASL, XMLDSig, SunPCSC, JdkLDAP, JdkSASL, SunPKCS11]
```
Versus the list after executing `installOnlyOpenJDKProviders()`:
```
[SUN, SunJCE, SunRsaSign, SunEC]
```
Note that the OpenJDK providers are initially present but in a different order, which is used convey provider preference.
NOKEYCHECK=True
PiperOrigin-RevId: 568645228
|
|
Bouncy Castle 1.73 and later no longer allows null IES algorithm parameters: https://github.com/bcgit/bc-java/commit/5f7b6e7588737bcfb8f1dac85c03d761dc39f42c
http://sponge2/9c4945bf-871a-4131-ac6e-81353a8599d0 (ok)
http://sponge2/d7ab9ab6-c9b6-4939-b967-36a58ffcb269 (failed)
NOKEYCHECK=True
PiperOrigin-RevId: 565414128
|
|
- Should refer to:
https://datatracker.ietf.org/doc/html/rfc7748#section-5
not:
https://datatracker.ietf.org/doc/html/rfc7749#section-5
|
|
the NIST standard only recommends short exponents in the case of named primes, so this CL is a bit weaker than NIST.
See http://b/261217218#comment20
NOKEYCHECK=True
PiperOrigin-RevId: 554499257
|
|
A typical error message with the new JDK looks like this:
java.lang.AssertionError: X expected to have bit length 1504, but has value 92958950218418996462987643843877938499735925222249647906188789799246291415800, which has bit length 256
NOKEYCHECK=True
PiperOrigin-RevId: 548591594
|
|
|
|
|
|
For 93, 95, and 101, the public keys are on the twist but they don't have the "Twist" flag.
For 94, the public key is on Curve25519 but has the "Twist" flag.
To determine whether a public key is on Curve25519, I use the following procedure:
1. Mask the msb of the public key according to RFC 7748, get masked public key `u`
2. Compute `vv = u^3 + A*u^2 + u`
3. If `vv` is a square, then it's on Curve25519, otherwise it's on the twist. (Use Euler's criterion or golang's `(*big.Int).ModSqrt(x, p *Int)` to determine whether `vv` is a square.)
NOKEYCHECK=True
PiperOrigin-RevId: 534098023
|
|
NOKEYCHECK=True
PiperOrigin-RevId: 516220120
|
|
RFC 7292 uses BMPStrings to encode passwords.
This encoding uses UTF-16 encoded strings with big-endian ordering
and a NULL terminator.
Adding a few more test vectors with invalid UTF-8 encoding.
NOKEYCHECK=True
PiperOrigin-RevId: 516194647
|
|
So far the test only supports PBES2.
PBES1 is outdatated and uses ciphers such as 3DES and RC2.
Results:
The SUN provider pass the tests with passwords that contain printable ASCII characters.
BouncyCastle skips everything. This provider implements algorithms such as PBEWITHSHAAND128BITAES-CBC-BC. These algorithms use PKCS #12 encodings for the
password, hence give different results.
Conscrypt relies on other providers for a SecretKeyFactory. Hence all tests
are skipped.
NOKEYCHECK=True
PiperOrigin-RevId: 515616908
|
|
This is based on RFC 2898.
The files are incompletes since I don't have code for test vector generation
yet. PBES2 generates a random key from a password and salt. Then uses
this key and additional parameters (in this case an IV) to encrypt.
RFC 2898 only defines PBES2 with unauthenticated encryption.
In particular it uses CBC mode with PKCS #5 padding.
The test vectors have flags depending on the password:
"printable": The password consists of printable ASCII characters.
These are test vectors that can be verified by the SUN provider.
"Ascii": The password consists of ASCII characters.
"Utf8": The password is a valid UTF-8 encoding. These are passwords for which
the SUN provider can compute the underlying PBKDF function correctly.
"NonUtf8": passwords that are not valid UTF-8 encodings. PBES2 is defined for
these values, but it is not clear yet if there is a provider that
supports these passwords.
NOKEYCHECK=True
PiperOrigin-RevId: 515365503
|
|
PBKDF2 is used for PBES2 in JWE.
NOKEYCHECK=True
PiperOrigin-RevId: 514744065
|
|
PBKDF2 is a function that takes as input a password, a salt, an interation count and a key length. password and salt are byte arrays. Some implementations have restrictions. E.g., JCE uses UTF-8 encodings of a char[]. These implementations
cannot verify all test vectors. Because of these restrictions there are different
types of test vectors that are marked with the flags:
"Printable": password contains printable ASCII characters
"Ascii": password contains ASCII characters
"Utf8": password is a valid Utf8 encoding
"NonUtf8": password is not a valid Utf8 encoding
NOKEYCHECK=True
PiperOrigin-RevId: 514702127
|
|
NOKEYCHECK=True
PiperOrigin-RevId: 513822210
|
|
signatures.
Both Nimbus-Jose and jose4j do not check the size of ECDSA signatures.
The effect is signature malleability.
Sometimes standards are a bit fuzzy about accepting alternative encodings.
Here, RFC 7518, section 3.4 requires that ES256 signatures are exactly 64 bytes
long.
NOKEYCHECK=True
PiperOrigin-RevId: 513222124
|
|
NOKEYCHECK=True
PiperOrigin-RevId: 512057528
|
|
NOKEYCHECK=True
PiperOrigin-RevId: 512037229
|
|
There are a few more cases where jose4j does not check the algorithm of the
key. It is for example possible to abuse an AES key as an HMAC key.
NOKEYCHECK=True
PiperOrigin-RevId: 512019595
|
|
Nimbus-Jose doesn't check whether the algorithm in the key is the
same as the algorithm in the header of the ciphertext.
It is currently unclear if this can be exploited.
Maybe there is a timing attack that can exploit this.
NOKEYCHECK=True
PiperOrigin-RevId: 511722407
|
|
This encryption moded is defined in RFC 7518.
It is based on McGrew, D., Foley, J., and K. Paterson, "Authenticated
Encryption with AES-CBC and HMAC-SHA",
draft-mcgrew-aead-aes-cbc-hmac-sha2-05, July 2014.
The algorithms are AEAD.
All inputs are byte arrays and hence have the same format as test vectors
for other AEADs. JWE encodes IV, ciphertext and tag using base64. This
encoding is not part of the test and test vectors.
NOKEYCHECK=True
PiperOrigin-RevId: 511430026
|
|
All test vectors currently use only compact serialization.
Other serializations were previously allowed.
NOKEYCHECK=True
PiperOrigin-RevId: 511429694
|
|
Currently all test vectors use the compact form for the "jws" field.
If we ever add tests where the jws uses another format then these
tests would be in a different test vector file.
NOKEYCHECK=True
PiperOrigin-RevId: 511207630
|
|
All other test vectors use compact form.
For testing libraries that accepts forms other than the compact form
we would add new test vector files.
This simplifies the tests using these test vectors.
NOKEYCHECK=True
PiperOrigin-RevId: 511000783
|
|
All other test vectors use a flattened representation.
(i.e. three base64 encoded strings separated with '.')
The libraries tested so far only accept flattened representations.
Other representations allow additional options.
Hence testing such representations will be done with new test vector files.
NOKEYCHECK=True
PiperOrigin-RevId: 510999148
|
|
NOKEYCHECK=True
PiperOrigin-RevId: 510365449
|
|
The original tests covered more than just
tests for JW signatures. This included tests
with keysets. No keysets are necessary to
test signature verification. Hence the test
here can be simplified.
NOKEYCHECK=True
PiperOrigin-RevId: 510121455
|
|
RFC 7515 specifies in Section 2 additional
characters such as spaces and line breaks are not
allowed.
Base64 decoders are frequently not strict about their inputs.
For example base64 in python explicitely allows white space and ignores it.
In other cases the decoders use lookuptables in such a way that invalid characters have a value of 0 or -1.
The new test vectors contain invalid encoded Hmacs. They have been constructed
so that they may fail if base64 decoding is not strict.
NOKEYCHECK=True
PiperOrigin-RevId: 509757096
|
|
NOKEYCHECK=True
PiperOrigin-RevId: 509198084
|
|
There are a few more failing test vectors:
jose4j verifies signatures with keys only meant for encryption.
Possibly this has been fixed upstream with
https://bitbucket.org/b_c/jose4j/wiki/commits/72e156aa68def409bca97f4dff9f63ec5a7c24c1
NOKEYCHECK=True
PiperOrigin-RevId: 509168926
|
|
NOKEYCHECK=True
PiperOrigin-RevId: 508858149
|
|
Describing the purpose of test vectors that were recently added.
NOKEYCHECK=True
PiperOrigin-RevId: 508600619
|
|
NOKEYCHECK=True
PiperOrigin-RevId: 508600612
|
|
Some provider appear to generate keys, but throw exceptions while signing a message.
Such a behavior currently fails the test. It should be skipped.
NOKEYCHECK=True
PiperOrigin-RevId: 508369913
|
|
since the jdk provider has flaws. (b/268108666)
Detecting the bias in the bug above requires 10^12 signatures.
Hence it is not feasible to check for such biases.
The test only checks for large biases. Hopefully, the checks
cover those cases that are exploitable.
NOKEYCHECK=True
PiperOrigin-RevId: 508076711
|
|
This will be configured to run as a scheduled/manually-triggered job, as opposed to the smaller scope of the tests currently being run during presubmit/postsubmit (kokoro/run_continuous_tests.sh).
NOKEYCHECK=True
PiperOrigin-RevId: 507602263
|