- changed status to resolved
Verifier generator bug
Issue #10
resolved
Reported by Daniel N, email:
Hi,
I have tested the Nimbus SRP lib and I found a bug in the "public BigInteger generateVerifier(final BigInteger salt, final String userID, final String password)” method in SRP6VerifierGenerator.java
The type conversion of the salt from BigInteger to byte[] are not removing the sign bit which causes the verifier v to be calculated wrongly.
The code bellow solves the problem, I have tested against the SRP Test Vectors in RFC 5054:
public BigInteger generateVerifier(final BigInteger salt, final String userID, final String password) {
byte[] userIDBytes = null;
if (userID != null)
userIDBytes = userID.getBytes(Charset.forName("UTF-8"));
byte[] salt_arr = salt.toByteArray();
if (salt_arr[0] == 0) {
byte[] tmp = new byte[salt_arr.length - 1];
System.arraycopy(salt_arr, 1, tmp, 0, tmp.length);
salt_arr = tmp;
}
return generateVerifier(salt_arr, userIDBytes, password.getBytes(Charset.forName("UTF-8")));
}
BR Daniel
Comments (1)
-
reporter - Log in to comment
Fixed in commit 706325d.