Detection of identification string exchange message too brittle

Hello,

Both SignatureDSA and SignatureRSA contain code to detect the SSH "identification string exchange message". The detection is based on the first three bytes (0x00 0x00 0x00). This is too brittle, as normal hashes can also start with 0x00 0x00 0x00. Chances are slim, but I actually triggerd this bug!

When signing, I managed to get the following byte array (ASN.1):
30:2a:2:12:0:9c:db:c8:48:b7:b2:61:96:e1:b:15:f0:7e:ac:69:4:f:2:14:6a:bd:d6:e3:f6:ba:e7:ba:d6:6c:2c:c8:53:89:7c:e9:9b:b4:fc:9:

Which leads to the following output (mpint):
0:0:0:9c:db:c8:48:b7:b2:61:96:e1:b:15:f0:7e:ac:69:4:f:6a:bd:d6:e3:f6:ba:e7:ba:d6:6c:2c:c8:53:89:7c:e9:9b:b4:fc:9:

When verifying this hash, the mpint is converted back to ASN.1. The following block of code is hit:
if (sig[0] == 0 && sig[1] == 0 && sig[2] == 0)
{
j = sig[i++] << 24 & 0xff000000 | sig[i++] << 16 & 0x00ff0000 | sig[i++] << 8 & 0x0000ff00 | sig[i++] & 0x000000ff;
i += j;
j = sig[i++] << 24 & 0xff000000 | sig[i++] << 16 & 0x00ff0000 | sig[i++] << 8 & 0x0000ff00 | sig[i++] & 0x000000ff;
tmp = new byte[j];
System.arraycopy(sig, i, tmp, 0, j);
sig = tmp;
}

And I get an "java.lang.ArrayIndexOutOfBoundsException: 160"...

My alternative implementation of SignatureDSA.java and SignatureRSA.java (available at https://github.com/Jurrie/jsch-111-bugfix) try to detect the "identification string exchange message" using the first eight bytes. This however does not eliminate the bug; it just reduces the chance of hitting it. A better solution is needed I think.

With kind regards,

Jurrie