Security/SR-1

From Snowblossom Wiki
Revision as of 04:01, 21 April 2022 by Fireduck (talk | contribs) (Created page with "Security Review 1 - CVE-2022-21449: Psychic Signatures in Java ## Overview In this CVE some versions of Java do not do proper validation of ECDSA signatures and the signatur...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Security Review 1 - CVE-2022-21449: Psychic Signatures in Java

    1. Overview

In this CVE some versions of Java do not do proper validation of ECDSA signatures and the signatures can be trivially faked.

This of course seems alarming since Snowblossom makes extensive use of ECDSA signatures, especially for seed based wallets.

However, in review of the issue it was found that while the flaw does absolutely exist in some versions of Java, no version of Snowblossom uses the Java provided security provider for ECDSA signatures.

In the relevant section of Snowblossom code, we are always explicitly using the Bouncy Castle (BC) cryptographic provider.

   Signature sig_engine = Signature.getInstance(algo, Globals.getCryptoProviderName());
    1. References

https://neilmadden.blog/2022/04/19/psychic-signatures-in-java/

    1. Test Proceedure

On a system with the problematic java versions the test code was run to reproduce the issue. Testing blank signature with bouncycastle: Should report false meaning bad signature did not validate false

Testing blank signature java provider: Should report false meaning bad signature did not validate true