Psychic Signatures in Java [CVE-2022-21449]

We discussed this vulnerability during Episode 139 on 25 April 2022

Java’s implementation of ECDSA signature validation deviated from the algorithm in two distinct ways that could allow any attacker to craft a valid signature for any key.

There are two issues at play:

1.The r and s values provided in signature were not checked to ensure they were in-range (greater than 0 and less than the order of the curve.

  1. Mathematically there is no defined multiplicative inverse for 0, however the Java implementation returned 0 as the inverse of 0.

These two issues combine such that a signature with an r and s of 0 will return as a valid signature for any private key. As this ultimately resolves to multiplication by 0 in calculating the “real” signature.

We previously covered this same issue in the Stark Bank library for Python