Conversation

Welp. It’s the crypto bug of the year. Mark it down for April. Java 15-18 ECDSA doesn’t sanity check that the random x coordinate and signature proof are nonzero; a (0,0) signature validates any message. Breaks JWT, SAML, &c.

neilmadden.blog

CVE-2022-21449: Psychic Signatures in Java

The long-running BBC sci-fi show Doctor Who has a recurring plot device where the Doctor manages to get out of trouble by showing an identity card which is actually completely blank. Of course, thi…

1,357

2,531

Replying to

and

Thankfully many big orgs using Java are still years away from adopting anything newer than Java 11 😆

117

Replying to

and

android is just getting around to java 11!

This Tweet is unavailable. Learn more

Replying to

Android itself doesn't use the JVM or the OpenJDK cryptography backend. It uses OpenJDK for the SDK including compiling Java to bytecode with javac, which it then compiles to Dalvik bytecode. Android SDK works with OpenJDK 18 as long as source/target language is set to <= 12.

Replying to

Default language for developing apps has switched to Kotlin and there are lots of Kotlin-exclusive features for the libraries. Java version isn't as relevant as it seems since Java bytecode is turned into Dalvik bytecode with backwards compat based on min API level, not Java ver.

6:10 AM · Apr 20, 2022Twitter Web App

Replying to

Targeting Java 11 does not mean the app depends on the OS supporting Java 11. SDK will convert it to bytecode using the latest Dalvik bytecode features available in the minimum API level set by the app. Using lambdas doesn't mean it requires that the OS supports lambdas, etc.