jsrsasign Missing Cryptographic Step Vulnerability in DSA Signing Process

A vulnerability exists in the jsrsasign cryptographic library, specifically in versions prior to 11.1.1. The issue arises in the DSA signing implementation, where the signing process does not properly validate the signature components 'r' and 's'. This oversight allows an attacker to manipulate the signing process by forcing 'r' or 's' to be zero, resulting in an invalid signature. The library fails to retry the signing operation, as required by the FIPS 186-4 standard. Exploiting this vulnerability enables the recovery of the private key from the invalid signature.

Impact

Forcing 's' to zero creates a signature that can be used to calculate the private key, violating the integrity of the cryptographic process. This vulnerability also represents a FIPS 186-4 specification violation, as it disregards required checks and procedures in DSA signature generation.

Reproduction

The vulnerability can be reproduced by using a script that forces the DSA signing function to produce a signature with 's' equal to zero. This can be achieved by selecting a specific ephemeral key value and a corresponding message hash that will result in the invalid signature. Once the invalid signature is generated, the private key can be recovered using a mathematical formula that exploits the signature's invalidity.

Remediation

Users are advised to upgrade jsrsasign to version 11.1.1 or higher, where this vulnerability has been addressed.