Merge branch 'main' of gitlab.cryptoworkshop.com:root/bc-java

dghgit · dghgit · commit 43e0a72b1a4e · 2026-06-05T09:00:15.000+10:00
diff --git a/core/src/main/java/org/bouncycastle/crypto/engines/ISAACEngine.java b/core/src/main/java/org/bouncycastle/crypto/engines/ISAACEngine.java
@@ -27,8 +27,7 @@ public class ISAACEngine
     
     // Engine state
     private int     index         = 0;
-    private byte[]  keyStream     = new byte[stateArraySize<<2], // results expanded into bytes
-                    workingKey    = null;
+    private byte[]  workingKey    = null;
     private boolean initialised   = false;
     
     /**
@@ -61,14 +60,13 @@ public void init(
                     
     public byte returnByte(byte in)
     {
-        if (index == 0) 
+        if (index == 0)
         {
             isaac();
-            keyStream = Pack.intToBigEndian(results);
         }
-        byte out = (byte)(keyStream[index]^in);
+        byte out = (byte)(keyStreamByte(index)^in);
         index = (index + 1) & 1023;
-        
+
         return out;
     }
     
@@ -96,12 +94,11 @@ public int processBytes(
         
         for (int i = 0; i < len; i++)
         {
-            if (index == 0) 
+            if (index == 0)
             {
                 isaac();
-                keyStream = Pack.intToBigEndian(results);
             }
-            out[i+outOff] = (byte)(keyStream[index]^in[i+inOff]);
+            out[i+outOff] = (byte)(keyStreamByte(index)^in[i+inOff]);
             index = (index + 1) & 1023;
         }
 
@@ -189,6 +186,16 @@ private void setKey(byte[] keyBytes)
         initialised = true;
     }    
     
+    /*
+     * Extract byte idx (0..1023) of the current keystream block directly from the
+     * generated words, in the same big-endian order Pack.intToBigEndian produces:
+     * byte j of results[w] is results[w] >>> (24 - 8*j).
+     */
+    private byte keyStreamByte(int idx)
+    {
+        return (byte)(results[idx >>> 2] >>> (24 - ((idx & 3) << 3)));
+    }
+
     private void isaac()
     {
         int i, x, y;
diff --git a/docs/releasenotes.html b/docs/releasenotes.html
@@ -75,6 +75,7 @@ <h3>2.1.2 Defects Fixed</h3>
 <li>PKCS12KeyStoreSpi.processKeyBag and PKCS12PBMAC1KeyStoreSpi.processKeyBag threw a NullPointerException when loading a keystore containing an RFC 7292 sec. 4.2.1 keyBag (unencrypted PrivateKeyInfo) that either carried no bagAttributes or carried bagAttributes without a localKeyId — getBagAttributes() and the recovered localId were dereferenced unconditionally, unlike the sibling processShroudedKeyBag / processSecretBag which already guard both. Both keyBag handlers now skip the attribute scan when bagAttributes is absent and stash a localKeyId-less key under the "unmarked" alias, matching the shrouded-key-bag path, so such a keystore loads instead of failing on parse.</li>
 <li>OtherName (RFC 5280 sec. 4.2.1.6), SafeBag (RFC 7292 sec. 4.2) and SignerInfo (RFC 2315 sec. 9.2, the legacy PKCS#7 type) getInstance now validate the decoded SEQUENCE length — exactly 2 for OtherName, 2 or 3 for SafeBag, 5 to 7 for SignerInfo — and route element extraction through the typed getInstance helpers. A structurally invalid SEQUENCE (wrong element count, or an element of the wrong ASN.1 type) now fails fast with "Bad sequence size: &lt;n&gt;" / an IllegalArgumentException, rather than leaking an ArrayIndexOutOfBoundsException or ClassCastException out of the parse, matching the strict-parse behaviour of the neighbouring x509 / pkcs ASN.1 types.</li>
 <li>The OpenSSL PEM parsing path hardened its handling of malformed encryption metadata. A PEM block whose "Proc-Type: 4,ENCRYPTED" header was present but whose "DEK-Info" header was missing, or whose DEK-Info value lacked the IV component, previously leaked a NullPointerException (KeyPairParser) or NoSuchElementException out of PEMParser; both the "RSA/DSA/EC PRIVATE KEY" (KeyPairParser) and "PRIVATE KEY" (PrivateKeyParser) paths now reject such input with a PEMException ("malformed PEM data: missing or invalid DEK-Info header"). Separately, PemReader.readPemObject wrapped a malformed base64 body in a DecoderException (a RuntimeException) that escaped the method's declared IOException contract; the Base64 decode is now caught and re-thrown as an IOException with the original cause attached.</li>
+<li>Follow-up to CVE-2026-5588: the legacy id_alg_composite CompositeVerifier (org.bouncycastle.operator.jcajce.JcaContentVerifierProviderBuilder, used by X509CertificateHolder.isSignatureValid, CMS and TSP) iterated the component count from the supplied signature sequence rather than from the key, so although the earlier fix rejected an empty signature sequence, a composite signature truncated to a verifying prefix (e.g. stripped of its post-quantum or its classical component) still verified. The verifier now requires the signature to carry exactly one component for every component key, rejecting both under- and over-length composite signatures. The final-draft (IANA-OID) composite path was unaffected — it parses a fixed-length concatenation and already verifies every component.</li>
 </ul>
 <h3>2.2.3 Additional Features and Functionality</h3>
 <ul>
diff --git a/pkix/src/main/java/org/bouncycastle/operator/jcajce/JcaContentVerifierProviderBuilder.java b/pkix/src/main/java/org/bouncycastle/operator/jcajce/JcaContentVerifierProviderBuilder.java
@@ -430,9 +430,18 @@ public boolean verify(byte[] expected)
             try
             {
                 ASN1Sequence sigSeq = ASN1Sequence.getInstance(expected);
+
+                // A composite signature MUST carry exactly one component for every
+                // component key; reject a signature that has had components removed
+                // (e.g. stripped to a single verifiable component) or added.
+                if (sigSeq.size() != sigs.length)
+                {
+                    return false;
+                }
+
                 boolean failed = false;
                 boolean atLeastOneChecked = false;
-            
+
                 for (int i = 0; i != sigSeq.size(); i++)
                 {
                     if (sigs[i] != null)
diff --git a/pkix/src/test/java/org/bouncycastle/openssl/test/CompositeKeyTest.java b/pkix/src/test/java/org/bouncycastle/openssl/test/CompositeKeyTest.java
@@ -3,6 +3,7 @@
 import java.io.ByteArrayInputStream;
 import java.io.FileOutputStream;
 import java.io.IOException;
+import java.io.OutputStream;
 import java.io.StringReader;
 import java.io.StringWriter;
 import java.math.BigInteger;
@@ -22,6 +23,9 @@
 import java.util.List;
 
 import junit.framework.TestCase;
+import org.bouncycastle.asn1.ASN1Encoding;
+import org.bouncycastle.asn1.ASN1Sequence;
+import org.bouncycastle.asn1.DERSequence;
 import org.bouncycastle.asn1.cms.ContentInfo;
 import org.bouncycastle.asn1.iana.IANAObjectIdentifiers;
 import org.bouncycastle.asn1.misc.MiscObjectIdentifiers;
@@ -52,6 +56,7 @@
 import org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter;
 import org.bouncycastle.openssl.jcajce.JcaPEMWriter;
 import org.bouncycastle.operator.ContentSigner;
+import org.bouncycastle.operator.ContentVerifier;
 import org.bouncycastle.operator.ContentVerifierProvider;
 import org.bouncycastle.operator.DigestCalculatorProvider;
 import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
@@ -327,6 +332,58 @@ public void testRSAAndECCompositeGen()
 //        doOutput("/tmp/comp_pub_1.pem", pubKeyStr);
     }
 
+
+    public void testCompositeSignatureStripping()
+        throws Exception
+    {
+        // CVE-2026-5588 follow-up: the legacy id_alg_composite ContentVerifier
+        // accepted a composite signature truncated to a single verifiable
+        // component. The empty-sequence case was fixed; an under-length sequence
+        // still passed. A composite signature MUST carry every component.
+        KeyPairGenerator ecKpg = KeyPairGenerator.getInstance("EC", "BC");
+        ecKpg.initialize(new ECNamedCurveGenParameterSpec("P-256"));
+        KeyPair ecKp = ecKpg.generateKeyPair();
+
+        KeyPairGenerator rsaKpg = KeyPairGenerator.getInstance("RSA", "BC");
+        rsaKpg.initialize(new RSAKeyGenParameterSpec(3072, RSAKeyGenParameterSpec.F4));
+        KeyPair rsaKp = rsaKpg.generateKeyPair();
+
+        // component 0 = ECDSA, component 1 = RSA
+        CompositeAlgorithmSpec compAlgSpec = new CompositeAlgorithmSpec.Builder()
+            .add("SHA256withECDSA")
+            .add("SHA256withRSA")
+            .build();
+        CompositePublicKey compPub = new CompositePublicKey(ecKp.getPublic(), rsaKp.getPublic());
+        CompositePrivateKey compPriv = new CompositePrivateKey(ecKp.getPrivate(), rsaKp.getPrivate());
+
+        ContentSigner sigGen = new JcaContentSignerBuilder("Composite", compAlgSpec).build(compPriv);
+
+        X500Name name = new X500Name("CN=Composite Strip Test");
+        X509CertificateHolder certHldr = new JcaX509v3CertificateBuilder(
+            name, BigInteger.valueOf(1),
+            new Date(System.currentTimeMillis() - 50000), new Date(System.currentTimeMillis() + 50000),
+            name, compPub).build(sigGen);
+
+        // the genuine 2-of-2 composite signature verifies
+        assertTrue("genuine composite signature should verify",
+            certHldr.isSignatureValid(new JcaContentVerifierProviderBuilder().build(compPub)));
+
+        AlgorithmIdentifier sigAlgId = certHldr.getSignatureAlgorithm();
+        byte[] tbs = certHldr.toASN1Structure().getTBSCertificate().getEncoded(ASN1Encoding.DER);
+        ASN1Sequence sigSeq = ASN1Sequence.getInstance(certHldr.getSignature());
+        assertTrue("expected a two-component composite signature", sigSeq.size() == 2);
+
+        // strip the RSA component, leaving only the (genuine) ECDSA component
+        byte[] strippedSig = new DERSequence(sigSeq.getObjectAt(0)).getEncoded(ASN1Encoding.DER);
+
+        ContentVerifier cv = new JcaContentVerifierProviderBuilder().build(compPub).get(sigAlgId);
+        OutputStream sOut = cv.getOutputStream();
+        sOut.write(tbs);
+        sOut.close();
+
+        assertFalse("composite signature stripped of a component must not verify", cv.verify(strippedSig));
+    }
+
     public void testRSAAndECCompositeSignedDataGen()
         throws Exception
     {

Original file line number	Diff line number	Diff line change
`@@ -27,8 +27,7 @@ public class ISAACEngine`
`27`	`27`
`28`	`28`	`// Engine state`
`29`	`29`	`private int index = 0;`
`30`		`- private byte[] keyStream = new byte[stateArraySize<<2], // results expanded into bytes`
`31`		`- workingKey = null;`
	`30`	`+ private byte[] workingKey = null;`
`32`	`31`	`private boolean initialised = false;`
`33`	`32`
`34`	`33`	`/**`
`@@ -61,14 +60,13 @@ public void init(`
`61`	`60`
`62`	`61`	`public byte returnByte(byte in)`
`63`	`62`	`{`
`64`		`- if (index == 0)`
	`63`	`+ if (index == 0)`
`65`	`64`	`{`
`66`	`65`	`isaac();`
`67`		`- keyStream = Pack.intToBigEndian(results);`
`68`	`66`	`}`
`69`		`- byte out = (byte)(keyStream[index]^in);`
	`67`	`+ byte out = (byte)(keyStreamByte(index)^in);`
`70`	`68`	`index = (index + 1) & 1023;`
`71`		`-`
	`69`	`+`
`72`	`70`	`return out;`
`73`	`71`	`}`
`74`	`72`
`@@ -96,12 +94,11 @@ public int processBytes(`
`96`	`94`
`97`	`95`	`for (int i = 0; i < len; i++)`
`98`	`96`	`{`
`99`		`- if (index == 0)`
	`97`	`+ if (index == 0)`
`100`	`98`	`{`
`101`	`99`	`isaac();`
`102`		`- keyStream = Pack.intToBigEndian(results);`
`103`	`100`	`}`
`104`		`- out[i+outOff] = (byte)(keyStream[index]^in[i+inOff]);`
	`101`	`+ out[i+outOff] = (byte)(keyStreamByte(index)^in[i+inOff]);`
`105`	`102`	`index = (index + 1) & 1023;`
`106`	`103`	`}`
`107`	`104`
`@@ -189,6 +186,16 @@ private void setKey(byte[] keyBytes)`
`189`	`186`	`initialised = true;`
`190`	`187`	`}`
`191`	`188`
	`189`	`+ /*`
	`190`	`+ * Extract byte idx (0..1023) of the current keystream block directly from the`
	`191`	`+ * generated words, in the same big-endian order Pack.intToBigEndian produces:`
	`192`	`+ * byte j of results[w] is results[w] >>> (24 - 8*j).`
	`193`	`+ */`
	`194`	`+ private byte keyStreamByte(int idx)`
	`195`	`+ {`
	`196`	`+ return (byte)(results[idx >>> 2] >>> (24 - ((idx & 3) << 3)));`
	`197`	`+ }`
	`198`	`+`
`192`	`199`	`private void isaac()`
`193`	`200`	`{`
`194`	`201`	`int i, x, y;`