High severityNVD Advisory· Published Jun 1, 2018· Updated Aug 6, 2024

CVE-2016-1000338

Description

In Bouncy Castle JCE Provider version 1.55 and earlier the DSA does not fully validate ASN.1 encoding of signature on verification. It is possible to inject extra elements in the sequence making up the signature and still have it validate, which in some cases may allow the introduction of 'invisible' data into a signed structure.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Bouncy Castle JCE Provider versions ≤1.55 insecurely validate DSA signatures, allowing injection of extra ASN.1 data.

Vulnerability

In Bouncy Castle JCE Provider version 1.55 and earlier, the DSA signature verification routine does not fully validate the ASN.1 encoding of the signature. It is possible to inject extra elements into the sequence making up the signature and still have it validate successfully. This affects all versions up to and including 1.55. [1][2]

Exploitation

An attacker can craft a DSA signature that contains additional ASN.1 elements beyond the expected r and s values. No special network position or authentication is required beyond the ability to present the malicious signature to a verifier using the vulnerable library. The verifier accepts the signature as valid, allowing the attacker to insert arbitrary data into a signed structure without invalidating the signature.

Impact

Successful exploitation allows an attacker to include extraneous data within a digitally signed structure while the signature still appears valid. This could be used to hide metadata or payloads in signed documents, certificates, or protocol messages, potentially undermining the integrity guarantees provided by the digital signature.

Mitigation

Users should upgrade to Bouncy Castle JCE Provider version 1.56 or later, which properly validates the ASN.1 encoding of DSA signatures. Red Hat has released advisories RHSA-2018:2669 and RHSA-2018:2927 to address this in Red Hat Fuse 7.1 and Red Hat Satellite 6.4, respectively. [1][3][4]

References

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.bouncycastle:bcprov-jdk14Maven	>= 1.38, < 1.56	1.56
org.bouncycastle:bcprov-jdk15Maven	>= 1.38, < 1.56	1.56
org.bouncycastle:bcprov-jdk15onMaven	>= 1.38, < 1.56	1.56

Affected products

ghsa-coords4 versions
pkg:maven/org.bouncycastle/bcprov-jdk14 pkg:maven/org.bouncycastle/bcprov-jdk15 pkg:maven/org.bouncycastle/bcprov-jdk15on pkg:rpm/opensuse/bouncycastle&distro=openSUSE%20Tumbleweed
>= 1.38, < 1.56+ 3 more
- (no CPE)range: >= 1.38, < 1.56
- (no CPE)range: >= 1.38, < 1.56
- (no CPE)range: >= 1.38, < 1.56
- (no CPE)range: < 1.68-3.2

Patches

b0c3ce99d43d

added length check for sequence in DSA signatures

https://github.com/bcgit/bc-javaDavid HookOct 14, 2016via ghsa

commit

2 files changed · +110 −3

prov/src/main/java/org/bouncycastle/jcajce/provider/asymmetric/dsa/DSASigner.java+5 −3 modified

@@ -8,8 +8,6 @@
 import java.security.SecureRandom;
 import java.security.SignatureException;
 import java.security.SignatureSpi;
-import java.security.interfaces.DSAKey;
-import java.security.interfaces.DSAPublicKey;
 import java.security.spec.AlgorithmParameterSpec;
 
 import org.bouncycastle.asn1.ASN1Encoding;
@@ -18,7 +16,6 @@
 import org.bouncycastle.asn1.ASN1Sequence;
 import org.bouncycastle.asn1.DERSequence;
 import org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
-import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
 import org.bouncycastle.asn1.x509.X509ObjectIdentifiers;
 import org.bouncycastle.crypto.CipherParameters;
 import org.bouncycastle.crypto.DSA;
@@ -179,6 +176,11 @@ private BigInteger[] derDecode(
         throws IOException
     {
         ASN1Sequence s = (ASN1Sequence)ASN1Primitive.fromByteArray(encoding);
+        if (s.size() != 2)
+        {
+            throw new IOException("malformed signature");
+        }
+
         return new BigInteger[]{
             ((ASN1Integer)s.getObjectAt(0)).getValue(),
             ((ASN1Integer)s.getObjectAt(1)).getValue()

prov/src/test/java/org/bouncycastle/jce/provider/test/DSATest.java+105 −0 modified

@@ -70,6 +70,110 @@ public class DSATest
 
     SecureRandom    random = new FixedSecureRandom(new byte[][] { k1, k2 });
 
+    // DSA modified signatures, courtesy of the Google security team
+    static final DSAPrivateKeySpec PRIVATE_KEY = new DSAPrivateKeySpec(
+        // x
+        new BigInteger(
+            "15382583218386677486843706921635237927801862255437148328980464126979"),
+        // p
+        new BigInteger(
+            "181118486631420055711787706248812146965913392568235070235446058914"
+            + "1170708161715231951918020125044061516370042605439640379530343556"
+            + "4101919053459832890139496933938670005799610981765220283775567361"
+            + "4836626483403394052203488713085936276470766894079318754834062443"
+            + "1033792580942743268186462355159813630244169054658542719322425431"
+            + "4088256212718983105131138772434658820375111735710449331518776858"
+            + "7867938758654181244292694091187568128410190746310049564097068770"
+            + "8161261634790060655580211122402292101772553741704724263582994973"
+            + "9109274666495826205002104010355456981211025738812433088757102520"
+            + "562459649777989718122219159982614304359"),
+        // q
+        new BigInteger(
+            "19689526866605154788513693571065914024068069442724893395618704484701"),
+        // g
+        new BigInteger(
+            "2859278237642201956931085611015389087970918161297522023542900348"
+            + "0877180630984239764282523693409675060100542360520959501692726128"
+            + "3149190229583566074777557293475747419473934711587072321756053067"
+            + "2532404847508798651915566434553729839971841903983916294692452760"
+            + "2490198571084091890169933809199002313226100830607842692992570749"
+            + "0504363602970812128803790973955960534785317485341020833424202774"
+            + "0275688698461842637641566056165699733710043802697192696426360843"
+            + "1736206792141319514001488556117408586108219135730880594044593648"
+            + "9237302749293603778933701187571075920849848690861126195402696457"
+            + "4111219599568903257472567764789616958430"));
+
+    static final DSAPublicKeySpec PUBLIC_KEY = new DSAPublicKeySpec(
+        new BigInteger(
+            "3846308446317351758462473207111709291533523711306097971550086650"
+            + "2577333637930103311673872185522385807498738696446063139653693222"
+            + "3528823234976869516765207838304932337200968476150071617737755913"
+            + "3181601169463467065599372409821150709457431511200322947508290005"
+            + "1780020974429072640276810306302799924668893998032630777409440831"
+            + "4314588994475223696460940116068336991199969153649625334724122468"
+            + "7497038281983541563359385775312520539189474547346202842754393945"
+            + "8755803223951078082197762886933401284142487322057236814878262166"
+            + "5072306622943221607031324846468109901964841479558565694763440972"
+            + "5447389416166053148132419345627682740529"),
+         PRIVATE_KEY.getP(),
+         PRIVATE_KEY.getQ(),
+         PRIVATE_KEY.getG());
+
+    // The following test vectors check for signature malleability and bugs. That means the test
+    // vectors are derived from a valid signature by modifying the ASN encoding. A correct
+    // implementation of DSA should only accept correct DER encoding and properly handle the others.
+    // Allowing alternative BER encodings is in many cases benign. An example where this kind of
+    // signature malleability was a problem: https://en.bitcoin.it/wiki/Transaction_Malleability
+    static final String[] MODIFIED_SIGNATURES  = {
+        "303e02811c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd021d00ade65988d237d30f9e"
+        + "f41dd424a4e1c8f16967cf3365813fe8786236",
+        "303f0282001c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd021d00ade65988d237d30f"
+        + "9ef41dd424a4e1c8f16967cf3365813fe8786236",
+        "303e021d001e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd021d00ade65988d237d30f9e"
+        + "f41dd424a4e1c8f16967cf3365813fe8786236",
+        "303e021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd02811d00ade65988d237d30f9e"
+        + "f41dd424a4e1c8f16967cf3365813fe8786236",
+        "303f021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd0282001d00ade65988d237d30f"
+        + "9ef41dd424a4e1c8f16967cf3365813fe8786236",
+        "303e021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd021e0000ade65988d237d30f9e"
+        + "f41dd424a4e1c8f16967cf3365813fe8786236",
+        "30813d021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd021d00ade65988d237d30f9e"
+        + "f41dd424a4e1c8f16967cf3365813fe8786236",
+        "3082003d021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd021d00ade65988d237d30f"
+        + "9ef41dd424a4e1c8f16967cf3365813fe8786236",
+        "303d021c1e41b479ad576905b960fe14eadb91b0ccf34843dab916173bb8c9cd021d00ade65988d237d30f9ef4"
+        + "1dd424a4e1c8f16967cf3365813fe87862360000",
+        "3040021c57b10411b54ab248af03d8f2456676ebc6d3db5f1081492ac87e9ca8021d00942b117051d7d9d107fc42cac9c5a36a1fd7f0f8916ccca86cec4ed3040100"
+    };
+
+    private void testModified()
+        throws Exception
+    {
+        KeyFactory kFact = KeyFactory.getInstance("DSA", "BC");
+        PublicKey pubKey = kFact.generatePublic(PUBLIC_KEY);
+        Signature sig = Signature.getInstance("DSA", "BC");
+
+        for (int i = 0; i != MODIFIED_SIGNATURES.length; i++)
+        {
+            sig.initVerify(pubKey);
+
+            sig.update(Strings.toByteArray("Hello"));
+
+            boolean failed;
+
+            try
+            {
+                failed = !sig.verify(Hex.decode(MODIFIED_SIGNATURES[i]));
+            }
+            catch (SignatureException e)
+            {
+                failed = true;
+            }
+
+            isTrue("sig verified when shouldn't", failed);
+        }
+    }
+
     private void testCompat()
         throws Exception
     {
@@ -1223,6 +1327,7 @@ public void performTest()
         testDSA2Parameters();
         testNullParameters();
         testValidate();
+        testModified();
     }
 
     protected BigInteger[] derDecode(

Vulnerability mechanics

Synthesis attempt was rejected by the grounding validator. Re-run pending.

References

access.redhat.com/errata/RHSA-2018:2669ghsavendor-advisoryWEB
access.redhat.com/errata/RHSA-2018:2927ghsavendor-advisoryWEB
github.com/advisories/GHSA-4vhj-98r6-424hghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2016-1000338ghsaADVISORY
usn.ubuntu.com/3727-1/mitrevendor-advisory
github.com/bcgit/bc-java/commit/b0c3ce99d43d73a096268831d0d120ffc89eac7fghsaWEB
lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3Eghsamailing-listWEB
lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451@%3Csolr-user.lucene.apache.org%3EghsaWEB
lists.debian.org/debian-lts-announce/2018/07/msg00009.htmlghsamailing-listWEB
security.netapp.com/advisory/ntap-20231006-0011ghsaWEB
usn.ubuntu.com/3727-1ghsaWEB
www.oracle.com/security-alerts/cpuoct2020.htmlghsaWEB
security.netapp.com/advisory/ntap-20231006-0011/mitre

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000