bc-java icon indicating copy to clipboard operation
bc-java copied to clipboard
verified publisher icon bcgit

Regression with v1.77+ in RSACoreEngine

Open martinpaljak opened this issue 6 months ago • 2 comments

Until v1.76 (included) RSACoreEngine worked when the passed in RSA CRT parameters was without public exponent.

With a simulator that uses BC (jcardsim, simulating JavaCard) the private CRT key object does NOT have access to public key elements other than modulus: https://docs.oracle.com/en/java/javacard/3.2/jcapi/api_classic/javacard/security/RSAPrivateCrtKey.html

This makes 1.77+ not usable, as now the previous "if crt, else" block always depends on having access to the public exponent at any case in RSACoreEngine.processBlock().

More precisely this change: https://github.com/bcgit/bc-java/commit/c62e5d0aaa222dfbba2422d8249f9e28a1c64158

As the use is simulation, I don't really need any attack protection, so I'd like revert back to the old requirements or somehow allow to omit the Lenstra's check. Calculating the exponent from the components is a workaround that is not really "right"

martinpaljak avatar Jun 15 '25 07:06 martinpaljak

Most of the library uses RSA (signing, decryption) via RSABlindedEngine, which already needed the public exponent, so it strikes me that you must be using RSACoreEngine either directly or through only RSAEngine?

Perhaps it would be possible to use other approaches to protect against timing and fault attacks, but given that you are only interested in simulation anyway, is it an option that you just copy the math parts of the code?

peterdettman avatar Jun 18 '25 08:06 peterdettman

Yes, RSAEngine. This is how it was:

https://github.com/licel/jcardsim/blob/master/src/main/java/com/licel/jcardsim/crypto/AsymmetricCipherImpl.java#L53-L65

https://github.com/licel/jcardsim/blob/master/src/main/java/com/licel/jcardsim/crypto/RSAPrivateCrtKeyImpl.java#L129-L133

This is how I ended up "fixing" it for now with 1.81:

https://github.com/martinpaljak/jcardsim/blob/next/simulator/src/main/java/com/licel/jcardsim/crypto/RSAPrivateCrtKeyImpl.java#L134-L224

martinpaljak avatar Jun 18 '25 11:06 martinpaljak

Okay, so what you actually mean is that RSA becomes so slow it's not usable, this doesn't make it unusable, just a real pain to use because it takes seemingly for ever... vagaries of language aside though, speaking as someone who's struggling with regression testing and the effects of PQC, I agree having to recalculate the public exponent isn't great either for the situation you've described. I have added a system property which will enable disabling the check.

Now up on https://downloads.bouncycastle.org/betas property is "org.bouncycastle.rsa.no_lenstra_check", by default false. Let me know how it goes.

dghgit avatar Oct 24 '25 21:10 dghgit

@dghgit Would be useful if you also had a Maven-addressable repository for the snapshots!

martinpaljak avatar Oct 25 '25 05:10 martinpaljak

@dghgit Yes, this works, thanks! https://github.com/martinpaljak/JCardEngine/commit/2633295c036b68179ebc173911b4e408ac481686

martinpaljak avatar Oct 25 '25 05:10 martinpaljak

Now in 1.83.

dghgit avatar Nov 30 '25 08:11 dghgit