Invalid encoding for signature: redundant leading 0s
charego opened this issue · 4 comments
Related bugs:
Synopsis:
Security fix in Java 8u121 exposed an encoding issue in some SSH libraries. In other words, these libraries were relying on buggy code in the JDK. Now that it's fixed in the JDK, these libraries mess up. Specifically: redundant 0s should be stripped from the signature.
Environment:
- Java 8u144
- sshj 0.21.1
- connecting to Cisco devices (IOS XRs)
ERROR [net.schmizz.concurrent.Promise] <<kex done>> woke to: net.schmizz.sshj.transport.TransportException: Invalid encoding for signature
...
Caused by: net.schmizz.sshj.transport.TransportException: Invalid encoding for signature
at net.schmizz.sshj.transport.TransportException$1.chain(TransportException.java:33)
at net.schmizz.sshj.transport.TransportException$1.chain(TransportException.java:27)
at net.schmizz.concurrent.Promise.deliverError(Promise.java:96)
at net.schmizz.concurrent.Event.deliverError(Event.java:74)
at net.schmizz.concurrent.ErrorDeliveryUtil.alertEvents(ErrorDeliveryUtil.java:34)
at net.schmizz.sshj.transport.KeyExchanger.notifyError(KeyExchanger.java:386)
at net.schmizz.sshj.transport.TransportImpl.die(TransportImpl.java:600)
at net.schmizz.sshj.transport.Reader.run(Reader.java:67)
Caused by: net.schmizz.sshj.common.SSHException: Invalid encoding for signature
at net.schmizz.sshj.common.SSHException$1.chain(SSHException.java:36)
at net.schmizz.sshj.common.SSHException$1.chain(SSHException.java:29)
at net.schmizz.sshj.transport.TransportImpl.die(TransportImpl.java:595)
... 1 common frames omitted
Caused by: net.schmizz.sshj.common.SSHRuntimeException: Invalid encoding for signature
at net.schmizz.sshj.signature.SignatureDSA.verify(SignatureDSA.java:102)
at net.schmizz.sshj.transport.kex.AbstractDHG.next(AbstractDHG.java:85)
at net.schmizz.sshj.transport.KeyExchanger.handle(KeyExchanger.java:358)
at net.schmizz.sshj.transport.TransportImpl.handle(TransportImpl.java:503)
at net.schmizz.sshj.transport.Decoder.decode(Decoder.java:102)
at net.schmizz.sshj.transport.Decoder.received(Decoder.java:170)
at net.schmizz.sshj.transport.Reader.run(Reader.java:59)
Caused by: java.security.SignatureException: Invalid encoding for signature
at sun.security.provider.DSA.engineVerify(DSA.java:283)
at sun.security.provider.DSA.engineVerify(DSA.java:244)
at java.security.Signature$Delegate.engineVerify(Signature.java:1219)
at java.security.Signature.verify(Signature.java:652)
at net.schmizz.sshj.signature.SignatureDSA.verify(SignatureDSA.java:100)
... 6 common frames omitted
Caused by: java.io.IOException: Invalid encoding: redundant leading 0s
at sun.security.util.DerInputBuffer.getBigInteger(DerInputBuffer.java:152)
at sun.security.util.DerValue.getBigInteger(DerValue.java:512)
at sun.security.provider.DSA.engineVerify(DSA.java:281)
... 10 common frames omitted
If you have a unit test case to reproduce this that would be great.
@charlesrgould Can you craft some unit test case that fails so that we can make work of solving this? thanks!
I've been trying to do just that. On our devices it's intermittent. The code logs in to the device several times in short succession, using username-password auth. Occasionally we see this exception about the key exchange messing up. Do you have any insight (or guess) as to what could be the problem?
Feel free to close the two tickets I created if I fail to generate a test case within the next few weeks.