Encoding Bug in ASN1Set

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Encoding Bug in ASN1Set

Michael Schäfer
Hi,
 
I have notice a bug in org.bouncycastle.asn1.ASN1Set.toDERObject() that could lead to reporting valid signatures as invalid. ASN1Sets can apparently be sorted or not. However why the mentioned method does sort unsorted sets and dosn't sort sorted ones is a mystery to me. Can you please switch the cases to fix the bug?
 
Regards,
Michael
Reply | Threaded
Open this post in threaded view
|

Re: Encoding Bug in ASN1Set

David Hook-3

DER encoding requires sets to be sorted. You could almost say it's the whole point - the idea is that there should be only way to compute a signature over the data. Signatures that rely on unsorted sets to validate are invalid.

Regards,

David
On 13/12/19 9:20 pm, [hidden email] wrote:
Hi,
 
I have notice a bug in org.bouncycastle.asn1.ASN1Set.toDERObject() that could lead to reporting valid signatures as invalid. ASN1Sets can apparently be sorted or not. However why the mentioned method does sort unsorted sets and dosn't sort sorted ones is a mystery to me. Can you please switch the cases to fix the bug?
 
Regards,
Michael