-
Bug
-
Resolution: Fixed
-
P4
-
8, 9, 10
-
b13
-
Not verified
javax/net/ssl/TLSv12/SignatureAlgorithms.java test skips if only SHA-224 is enabled on Windows:
http://hg.openjdk.java.net/jdk9/dev/jdk/file/e8f3a872e69a/test/javax/net/ssl/TLSv12/SignatureAlgorithms.java#l438
/*
* Ignore testing on Windows if only SHA-224 is available.
*/
if ((Security.getProvider("SunMSCAPI") != null) &&
(disabledAlgorithms.contains("SHA-1")) &&
(disabledAlgorithms.contains("SHA-256"))) {
System.out.println(
"Windows system does not support SHA-224 algorithms yet. " +
"Ignore the testing");
return;
}
But SHA224-based signature algorithms should be provided by Java-based security providers on all supported platforms:
https://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html#SUNProvider
TLS client sends a signature_algorithms extension in a ClientHello message. The extension contains a list of signature algorithms which the client is okay to use. I noticed that on non-Windows platforms the client includes SHA224-based signature algorithms to the extension, but SHA224-based signature algorithms are not included to the extension on Windows.
Here is the code which figures out which signature algorithms are available
http://hg.openjdk.java.net/jdk9/dev/jdk/file/e8f3a872e69a/src/java.base/share/classes/sun/security/ssl/SignatureAndHashAlgorithm.java#l398
The code checks if SunMSCAPI provider is not available, and if so, it adds SHA224-based signature algorithms. As a result, SHA224-based signatures are not sent in signature_algorithms extension on Windows.
Since SHA224-based signature algorithms are provided by other security providers, they should be enabled on Windows as well.
http://hg.openjdk.java.net/jdk9/dev/jdk/file/e8f3a872e69a/test/javax/net/ssl/TLSv12/SignatureAlgorithms.java#l438
/*
* Ignore testing on Windows if only SHA-224 is available.
*/
if ((Security.getProvider("SunMSCAPI") != null) &&
(disabledAlgorithms.contains("SHA-1")) &&
(disabledAlgorithms.contains("SHA-256"))) {
System.out.println(
"Windows system does not support SHA-224 algorithms yet. " +
"Ignore the testing");
return;
}
But SHA224-based signature algorithms should be provided by Java-based security providers on all supported platforms:
https://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html#SUNProvider
TLS client sends a signature_algorithms extension in a ClientHello message. The extension contains a list of signature algorithms which the client is okay to use. I noticed that on non-Windows platforms the client includes SHA224-based signature algorithms to the extension, but SHA224-based signature algorithms are not included to the extension on Windows.
Here is the code which figures out which signature algorithms are available
http://hg.openjdk.java.net/jdk9/dev/jdk/file/e8f3a872e69a/src/java.base/share/classes/sun/security/ssl/SignatureAndHashAlgorithm.java#l398
The code checks if SunMSCAPI provider is not available, and if so, it adds SHA224-based signature algorithms. As a result, SHA224-based signatures are not sent in signature_algorithms extension on Windows.
Since SHA224-based signature algorithms are provided by other security providers, they should be enabled on Windows as well.
- relates to
-
-
- Closed
-