8320597: RSA signature verification fails on signed data that does not encode params correctly

Reviewed-by: mullan, valeriep

src/java.base/share/classes/sun/security/rsa/RSASignature.java

@@ -217,8 +217,17 @@ abstract class RSASignature extends SignatureSpi {
             byte[] decrypted = RSACore.rsa(sigBytes, publicKey);
 
             byte[] digest = getDigestValue();
+
             byte[] encoded = RSAUtil.encodeSignature(digestOID, digest);
             byte[] padded = padding.pad(encoded);
+            if (MessageDigest.isEqual(padded, decrypted)) {
+                return true;
+            }
+
+            // Some vendors might omit the NULL params in digest algorithm
+            // identifier. Try again.
+            encoded = RSAUtil.encodeSignatureWithoutNULL(digestOID, digest);
+            padded = padding.pad(encoded);
             return MessageDigest.isEqual(padded, decrypted);
         } catch (javax.crypto.BadPaddingException e) {
             return false;

src/java.base/share/classes/sun/security/rsa/RSAUtil.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2018, 2022, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2018, 2023, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -180,28 +180,15 @@ public class RSAUtil {
     }
 
     /**
-     * Decode the signature data. Verify that the object identifier matches
+     * Encode the digest without the NULL params, return the to-be-signed data.
-     * and return the message digest.
+     * This is only used by SunRsaSign.
      */
-    public static byte[] decodeSignature(ObjectIdentifier oid, byte[] sig)
+    static byte[] encodeSignatureWithoutNULL(ObjectIdentifier oid, byte[] digest) {
-            throws IOException {
+        DerOutputStream out = new DerOutputStream();
-        // Enforce strict DER checking for signatures
+        out.write(DerValue.tag_Sequence, new DerOutputStream().putOID(oid));
-        DerInputStream in = new DerInputStream(sig, 0, sig.length, false);
+        out.putOctetString(digest);
-        DerValue[] values = in.getSequence(2);
+        DerValue result =
-        if ((values.length != 2) || (in.available() != 0)) {
+                new DerValue(DerValue.tag_Sequence, out.toByteArray());
-            throw new IOException("SEQUENCE length error");
+        return result.toByteArray();
-        }
-        AlgorithmId algId = AlgorithmId.parse(values[0]);
-        if (!algId.getOID().equals(oid)) {
-            throw new IOException("ObjectIdentifier mismatch: "
-                + algId.getOID());
-        }
-        if (algId.getEncodedParams() != null) {
-            throw new IOException("Unexpected AlgorithmId parameters");
-        }
-        if (values[1].isConstructed()) {
-            throw new IOException("Unexpected constructed digest value");
-        }
-        return values[1].getOctetString();
     }
 }

test/jdk/sun/security/rsa/WithoutNULL.java

@@ -0,0 +1,57 @@
+/*
+ * Copyright (c) 2023, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/**
+ * @test
+ * @bug 8320597
+ * @summary Verify RSA signature with omitted digest params (should be encoded as NULL)
+ * for backward compatibility
+ */
+import java.security.KeyFactory;
+import java.security.Signature;
+import java.security.spec.X509EncodedKeySpec;
+import java.util.Base64;
+
+public class WithoutNULL {
+    public static void main(String[] args) throws Exception {
+
+        // A 1024-bit RSA public key
+        byte[] key = Base64.getMimeDecoder().decode("""
+                MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCrfTrEm4KvdFSpGAM7InrFEzALTKdphT9fK6Gu
+                eVjHtKsuCSEaULCdjhJvPpFK40ONr1JEC1Ywp1UYrfBBdKunnbDZqNZL1cFv+IzF4Yj6JO6pOeHi
+                1Zpur1GaQRRlYTvzmyWY/AATQDh8JfKObNnDVwXeezFODUG8h5+XL1ZXZQIDAQAB""");
+
+        // A SHA1withRSA signature on an empty input where the digestAlgorithm
+        // inside DigestInfo does not have a parameters field.
+        byte[] sig = Base64.getMimeDecoder().decode("""
+                D1FpiT44WEXlDfYK880bdorLO+e9qJVXZWiBgqs9dfK7lYQwyEt9dL23mbUAKm5TVEj2ZxtHkEvk
+                b8oaWkxk069jDTM1RhllPJZkAjeQRbw4gkg4N6wKZz9B/jdSRMNJg/b9QdRYZOHOBxsEHMbUREPV
+                DoCOLaxB8eIXX0EWkiE=""");
+
+        Signature s = Signature.getInstance("SHA1withRSA", "SunRsaSign");
+        s.initVerify(KeyFactory.getInstance("RSA").generatePublic(new X509EncodedKeySpec(key)));
+        if (!s.verify(sig)) {
+            throw new RuntimeException("Does not verify");
+        }
+    }
+}