Bug ID: JDK-8161571 Verifying ECDSA signatures permits trailing bytes

Versions (Unresolved/Resolved/Fixed)

The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.

JDK 6	JDK 7	JDK 8	JDK 9	Other
6u141Fixed	7u131Fixed	8u121Fixed	9 b129Fixed	openjdk7uFixed

FULL PRODUCT VERSION :
openjdk version "1.8.0_92"
OpenJDK Runtime Environment (build 1.8.0_92-b14)
OpenJDK 64-Bit Server VM (build 25.92-b14, mixed mode)

ADDITIONAL OS VERSION INFORMATION :
Linux nicks-dryden 4.5.7-200.fc23.x86_64 #1 SMP Wed Jun 8 17:41:50 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

EXTRA RELEVANT SYSTEM CONFIGURATION :
Version of sunec.jar:

unzip -p /usr/lib/jvm/jre/lib/ext/sunec.jar META-INF/MANIFEST.MF
Manifest-Version: 1.0
Implementation-Title: Java Runtime Environment
Implementation-Version: 1.8.0_92
Specification-Vendor: Oracle Corporation
Specification-Title: Java Platform API Specification
Implementation-Vendor-Id: com.sun
Extension-Name: javax.crypto
Specification-Version: 1.8
Created-By: 1.8.0_92 (Oracle Corporation)
Implementation-Vendor: N/A

A DESCRIPTION OF THE PROBLEM :
When verifying ECDSA signatures, the SunEC provider does not validate the signature length, allowing signatures with bogus trailing bytes to be allowed.

Having stepped through the source code, the problem is in sun.security.ec.ECDSASignature; the decodeSignature() method unpacks the DER signature but does check for trailing bytes.


REPRODUCIBILITY :
This bug can be reproduced always.