[SECURITY-3404]

Co-authored-by: Daniel Beck <daniel-beck@users.noreply.github.com>

Author: rsandell

README.md

@@ -13,5 +13,6 @@ Refer to our [contribution guidelines](https://github.com/jenkinsci/.github/blob
 
 ## LICENSE
 
-Licensed under MIT, see [LICENSE](LICENSE.md)
+Plugin Licensed under MIT, see [LICENSE](LICENSE.md)
 
+ed25519-java licensed under CC0 1.0 Universal, see [LICENSE](https://github.com/str4d/ed25519-java/blob/7c26a6312c2d2e887210930698706103e0f2da7d/LICENSE.txt)

pom.xml

@@ -26,7 +26,7 @@
     <url>https://github.com/jenkinsci/eddsa-api-plugin</url>
   </scm>
   <properties>
-    <revision>0.3.0</revision>
+    <revision>0.3.0.1</revision>
     <changelist>999999-SNAPSHOT</changelist>
     <jenkins.version>2.479.1</jenkins.version>
     <spotless.check.skip>false</spotless.check.skip>

src/main/java/net/i2p/crypto/eddsa/EdDSAEngine.java

@@ -12,6 +12,7 @@
 package net.i2p.crypto.eddsa;
 
 import java.io.ByteArrayOutputStream;
+import java.math.BigInteger;
 import java.nio.ByteBuffer;
 import java.security.InvalidAlgorithmParameterException;
 import java.security.InvalidKeyException;
@@ -28,6 +29,7 @@
 import net.i2p.crypto.eddsa.math.Curve;
 import net.i2p.crypto.eddsa.math.GroupElement;
 import net.i2p.crypto.eddsa.math.ScalarOps;
+import net.i2p.crypto.eddsa.math.bigint.BigIntegerLittleEndianEncoding;
 
 /**
  * Signing and verification for EdDSA.
@@ -272,6 +274,9 @@ protected boolean engineVerify(byte[] sigBytes) throws SignatureException {
         }
     }
 
+    private static final BigInteger BL_ORDER =
+            new BigInteger("2").pow(252).add(new BigInteger("27742317777372353535851937790883648493"));
+
     private boolean x_engineVerify(byte[] sigBytes) throws SignatureException {
         Curve curve = key.getParams().getCurve();
         int b = curve.getField().getb();
@@ -301,6 +306,10 @@ private boolean x_engineVerify(byte[] sigBytes) throws SignatureException {
         h = key.getParams().getScalarOps().reduce(h);
 
         byte[] Sbyte = Arrays.copyOfRange(sigBytes, b / 8, b / 4);
+        // RFC 8032
+        BigInteger Sbigint = (new BigIntegerLittleEndianEncoding()).toBigInteger(Sbyte);
+        if (Sbigint.compareTo(BL_ORDER) >= 0) return false;
+
         // R = SB - H(Rbar,Abar,M)A
         GroupElement R = key.getParams()
                 .getB()

src/test/java/io/jenkins/plugins/eddsa_api/security3404/EncodingUtils.java

@@ -0,0 +1,39 @@
+// Copyright (c) Facebook, Inc. and its affiliates.
+//
+// This source code is licensed under the APACHE 2.0 license found in
+// the LICENSE file in the root directory of the source tree
+// https://github.com/novifinancial/ed25519-speccheck/blob/main/scripts/ed25519-java/src/main/java/EncodingUtils.java
+
+package io.jenkins.plugins.eddsa_api.security3404;
+
+/** Encoding utils for cryptographic material. **/
+public class EncodingUtils {
+
+    /** Get X509 format of a compressed Edwards point (public key). **/
+    public static byte[] compressedEd25519PublicKeyToX509(byte[] compressedPublicKey) {
+        int totlen = 12 + compressedPublicKey.length;
+        byte[] rv = new byte[totlen];
+        int idx = 0;
+        // sequence
+        rv[idx++] = 0x30;
+        rv[idx++] = (byte) (totlen - 2);
+        // Algorithm Identifier
+        // sequence
+        rv[idx++] = 0x30;
+        rv[idx++] = 5;
+        // OID
+        // https://msdn.microsoft.com/en-us/library/windows/desktop/bb540809%28v=vs.85%29.aspx
+        rv[idx++] = 0x06;
+        rv[idx++] = 3;
+        rv[idx++] = 43;
+        rv[idx++] = 101;
+        rv[idx++] = (byte) 112;
+        // params - absent
+        // the key
+        rv[idx++] = 0x03; // bit string
+        rv[idx++] = (byte) (1 + compressedPublicKey.length);
+        rv[idx++] = 0; // number of trailing unused bits
+        System.arraycopy(compressedPublicKey, 0, rv, idx, compressedPublicKey.length);
+        return rv;
+    }
+}

src/test/java/io/jenkins/plugins/eddsa_api/security3404/Security3404Test.java

@@ -0,0 +1,83 @@
+package io.jenkins.plugins.eddsa_api.security3404;
+
+import static org.hamcrest.CoreMatchers.is;
+import static org.hamcrest.MatcherAssert.assertThat;
+
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+import java.security.spec.InvalidKeySpecException;
+import java.security.spec.X509EncodedKeySpec;
+import java.util.List;
+import net.i2p.crypto.eddsa.EdDSAEngine;
+import net.i2p.crypto.eddsa.EdDSAPublicKey;
+import net.i2p.crypto.eddsa.Utils;
+import net.i2p.crypto.eddsa.spec.EdDSANamedCurveTable;
+import net.i2p.crypto.eddsa.spec.EdDSAParameterSpec;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.junit.runners.Parameterized;
+
+@RunWith(Parameterized.class)
+public class Security3404Test {
+    private final String messageHex;
+    private final String publicKeyHex;
+    private final String signatureHex;
+
+    private static final EdDSAParameterSpec spec = EdDSANamedCurveTable.getByName(EdDSANamedCurveTable.ED_25519);
+
+    @Parameterized.Parameters
+    public static List<List<String>> parameters() {
+        // See https://eprint.iacr.org/2020/1244.pdf Table 6 c), as well as Section 5.1 for an explanation that these
+        // signatures are supposed to fail to ensure SUF-CMA property
+        return List.of(
+                List.of(
+                        "85e241a07d148b41e47d62c63f830dc7a6851a0b1f33ae4bb2f507fb6cffec40",
+                        "442aad9f089ad9e14647b1ef9099a1ff4798d78589e66f28eca69c11f582a623",
+                        "e96f66be976d82e60150baecff9906684aebb1ef181f67a7189ac78ea23b6c0e547f7690a0e2ddcd04d87dbc3490dc19b3b3052f7ff0538cb68afb369ba3a514"),
+                List.of(
+                        "85e241a07d148b41e47d62c63f830dc7a6851a0b1f33ae4bb2f507fb6cffec40",
+                        "442aad9f089ad9e14647b1ef9099a1ff4798d78589e66f28eca69c11f582a623",
+                        "8ce5b96c8f26d0ab6c47958c9e68b937104cd36e13c33566acd2fe8d38aa19427e71f98a473474f2f13f06f97c20d58cc3f54b8bd0d272f42b695dd7e89a8c22"));
+    }
+
+    @Test
+    public void testCases5And6() throws NoSuchAlgorithmException {
+        assertThat(verify_i2p(), is(false));
+    }
+
+    public Security3404Test(List<String> parameters) {
+        messageHex = parameters.get(0);
+        publicKeyHex = parameters.get(1);
+        signatureHex = parameters.get(2);
+    }
+
+    /**
+     * Return EdDSAPublicKey object from the hex representation of the compressed Edwards public key point.
+     **/
+    // Code used under Apache 2.0 license from
+    // https://github.com/novifinancial/ed25519-speccheck/blob/main/scripts/ed25519-java/src/main/java/Ed25519TestCase.java
+    private EdDSAPublicKey decodePublicKey() throws InvalidKeySpecException {
+        byte[] pk = Utils.hexToBytes(this.publicKeyHex);
+        byte[] x509pk = EncodingUtils.compressedEd25519PublicKeyToX509(pk);
+        X509EncodedKeySpec encoded = new X509EncodedKeySpec(x509pk);
+        return new EdDSAPublicKey(encoded);
+    }
+
+    /**
+     * Pure Ed25519 signature verification using the i2p lib, it returns false if it fails or if an exception occurs).
+     **/
+    // Code used under Apache 2.0 license from
+    // https://github.com/novifinancial/ed25519-speccheck/blob/main/scripts/ed25519-java/src/main/java/Ed25519TestCase.java
+    public boolean verify_i2p() {
+        try {
+            EdDSAPublicKey publicKey = decodePublicKey();
+            byte[] messageBytes = Utils.hexToBytes(this.messageHex);
+            byte[] signatureBytes = Utils.hexToBytes(this.signatureHex);
+            EdDSAEngine sgr = new EdDSAEngine(MessageDigest.getInstance(spec.getHashAlgorithm()));
+            sgr.initVerify(publicKey);
+            return sgr.verifyOneShot(messageBytes, signatureBytes);
+        } catch (Exception e) {
+            return false;
+        }
+    }
+}