Disable RSA blinding for BoringSSL with no public exponent
Switch to using the RSA_FLAG_NO_BLINDING for both OpenSSL and BoringSSL.
The RSAPrivateKey constructor in the Java language only takes the
modulus and private exponent, so we have to support no blinding.
(cherry picked from commit fbb754fc646d109d9c0d42d94a7dced5eaa6b5d7)
Bug: 20563652
Change-Id: I6264ffce428bf9847eb83dafb9119ccfe184d7f5
diff --git a/src/main/native/org_conscrypt_NativeCrypto.cpp b/src/main/native/org_conscrypt_NativeCrypto.cpp
index 6680a99..f6bcbad 100644
--- a/src/main/native/org_conscrypt_NativeCrypto.cpp
+++ b/src/main/native/org_conscrypt_NativeCrypto.cpp
@@ -2566,22 +2566,18 @@
return 0;
}
-#if !defined(OPENSSL_IS_BORINGSSL)
/*
* If the private exponent is available, there is the potential to do signing
- * operations. If the public exponent is also available, OpenSSL will do RSA
- * blinding. Enable it if possible.
+ * operations. However, we can only do blinding if the public exponent is also
+ * available. Disable blinding if the public exponent isn't available.
+ *
+ * TODO[kroot]: We should try to recover the public exponent by trying
+ * some common ones such 3, 17, or 65537.
*/
- if (rsa->d != NULL) {
- if (rsa->e != NULL) {
- JNI_TRACE("EVP_PKEY_new_RSA(...) enabling RSA blinding => %p", rsa.get());
- RSA_blinding_on(rsa.get(), NULL);
- } else {
- JNI_TRACE("EVP_PKEY_new_RSA(...) disabling RSA blinding => %p", rsa.get());
- RSA_blinding_off(rsa.get());
- }
+ if (rsa->d != NULL && rsa->e == NULL) {
+ JNI_TRACE("EVP_PKEY_new_RSA(...) disabling RSA blinding => %p", rsa.get());
+ rsa->flags |= RSA_FLAG_NO_BLINDING;
}
-#endif
Unique_EVP_PKEY pkey(EVP_PKEY_new());
if (pkey.get() == NULL) {
