JDK-8240277 : EdDSA verification should fail when the default context value is different than used one.
  • Type: Bug
  • Component: security-libs
  • Sub-Component: javax.crypto
  • Priority: P3
  • Status: Resolved
  • Resolution: Not an Issue
  • Submitted: 2020-03-02
  • Updated: 2020-03-09
  • Resolved: 2020-03-09
Related Reports
Relates :  
JDK-8199231 - JEP 339: Edwards-Curve Digital Signature Algorithm (EdDSA)
Description
To reproduce:
- Create EdDSAParameterSpec where context value is empty array.
- Sign a message
- Verify the message with the signature object with null context value used. The verification will success instead fail.

Sample code attached to verify.
Comments
This is not a bug. The constructor description states: /** * Construct an EdDSAParameterSpec by specifying a context and whether the * prehash mode is used. The context may not be null, but it may be an * empty array. The mode used when the context is an empty array may not be * the same as the mode used when the context is absent. ...*/ public EdDSAParameterSpec(boolean prehash, byte[] context) { The context is added to a RFC-defined string, so providing an empty array is legitimately a different spec than providing no context at all when using the EdDSAParameterSpec(boolean) constructor
09-03-2020
The test EdDSAParameterSpec(true, new byte[]{}) for the signature, but EdDSAParameterSpec(true) for the verify operation. I need to explore if these two constructors ops should be equivalent or not. When I changed the signature params to the same used by the verify, the test was successful.
09-03-2020
I need to look into this more as the Known Answer Tests (KAT) from the RFC pass with the prehash boolean set to true. If the EdDSA code was incorrectly verifying the signature, I would have expected it to fail the KAT.
03-03-2020