CVE-2022-21449: Psychic Signatures in Java

https://neilmadden.blog/2022/04/19/psychic-signatures-in-java/ [neilmadden.blog]

2022-04-20 03:12

One side of the equation is r and the other side is multiplied by r and a value derived from s. So it would obviously be a really bad thing if r and s were both 0, because then you’d be checking that 0 = 0 ⨉ [a bunch of stuff], which will be true regardless of the value of [a bunch of stuff]! And that bunch of stuff is the important bits like the message and the public key. This is why the very first check in the ECDSA verification algorithm is to ensure that r and s are both >= 1.

Guess which check Java forgot?

source: HN