Fix verification in HTTP library.

romanzhang · ejona86 · commit 7548c148450a · 2015-07-31T13:47:29.000-07:00
Clients get a list of public keys to verify the signed token, the client library will try all the keys one by one until it find a match. All these keys used to have the same size, 1024 bit. Recently we've made all the newly generated key with 2048 bit, so it's possible that a client get a list of two keys with the first key 1024 bit RSA and the second key 2048 bit RSA. If the blob was signed by the 1024 bit key, and the client tried the 2048 bit key first, an exception will be throw, and vice versa. The correct behavior is to ignore this exception and continue to try the next key. ------------- Created by MOE: http://code.google.com/p/moe-java MOE_MIGRATED_REVID=95790730
diff --git a/google-http-client/src/main/java/com/google/api/client/util/SecurityUtils.java b/google-http-client/src/main/java/com/google/api/client/util/SecurityUtils.java
@@ -161,7 +161,12 @@ public static boolean verify(
       throws InvalidKeyException, SignatureException {
     signatureAlgorithm.initVerify(publicKey);
     signatureAlgorithm.update(contentBytes);
-    return signatureAlgorithm.verify(signatureBytes);
+    // SignatureException may be thrown if we are tring the wrong key.
+    try {
+      return signatureAlgorithm.verify(signatureBytes);
+    } catch (SignatureException e) {
+      return false;
+    }
   }
 
   /**
