Issue affecting: BC-FJA 1.0.0, BC-FJA 1.0.1, BC 1.60 or earlier.

Fixed versions: BC-FJA 1.0.1.2, BC-FJA 1.0.2 and later, BC 1.61 or later

Issue: CWE-203: Observable Differences in Behavior to Error Inputs

Sending an invalid cipher text which decrypted to a short payload in the OAEP Decoder could result in the throwing of an early exception, potentially leaking some information about the private exponent of the RSA private key performing the encryption.

See commit https://github.com/bcgit/bc-java/commit/930f8b274c4f1f3a46e68b5441f1e7fadb57e8c1 for the changes.

Workaround Details

The issue can be mitigated by employing a similar approach to RFC 5246, Section 7.4.7.1, by doing an initial raw RSA decryption calculation simply to do a length check on the payload and then either decrypting a known payload and then returning failure where the original payload turns out to be too small, or passing the payload through for decryption where the payload is the correct size.

For a payload to be the correct length, the result of the raw decryption calculation should be seen to be the ceiling of bitLength/8 octets in length, where bitLength is the size of the RSA modulus in bits.