santuario-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Colm O hEigeartaigh <>
Subject Re: 2.0.4 release
Date Tue, 14 Apr 2015 14:02:21 GMT
Ok cool. I'll call a vote tomorrow.


On Mon, Apr 13, 2015 at 5:35 PM, Cantor, Scott <> wrote:

> On 4/13/15, 9:56 AM, "Cantor, Scott" <> wrote:
> >On 4/13/15, 5:10 AM, "Colm O hEigeartaigh" <> wrote:
> >>
> >>I'll call a vote on a 2.0.4 Java release in a few days, so shout now if
> there is anything else to go into it.
> >
> >I (or somebody from my project) may be filing a bug soon related to what
> appears to be a regression in the RSA verify code that dates back a while
> (probably to before 2.0.0). We're seeing signatures fail that a lot of
> other tools are reporting are valid (the C++ library included). Seems to be
> related to signature length and padding issues when the signature has 00
> bytes and ends up encoded as shorter than 256 bytes (for a 2048 bit key
> anyway).
> I could have held my tongue and saved the time, but Ian says he's found
> pretty clear spec language in the RFCs that indicate the Java code is
> right, and everything else seems to be wrong, so false alarm. It does seem
> that the old 1.4 Java code accepted these signatures, so apparently it was
> a bug and was fixed.
> We don't think the false positives are a big thing since it's just
> implicitly padding zeros probably, but it's not strictly correct. I'm going
> to file a Santuario C++ bug and look into what OpenSSL's primitives are
> doing.
> -- Scott

Colm O hEigeartaigh

Talend Community Coder

View raw message