Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8182143

SHA224-based signature algorithms are not enabled for TLSv12 on Windows

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: P4 P4
    • 10
    • 8, 9, 10
    • security-libs
    • b13
    • Not verified

      javax/net/ssl/TLSv12/SignatureAlgorithms.java test skips if only SHA-224 is enabled on Windows:

      http://hg.openjdk.java.net/jdk9/dev/jdk/file/e8f3a872e69a/test/javax/net/ssl/TLSv12/SignatureAlgorithms.java#l438

              /*
               * Ignore testing on Windows if only SHA-224 is available.
               */
              if ((Security.getProvider("SunMSCAPI") != null) &&
                      (disabledAlgorithms.contains("SHA-1")) &&
                      (disabledAlgorithms.contains("SHA-256"))) {

                  System.out.println(
                      "Windows system does not support SHA-224 algorithms yet. " +
                      "Ignore the testing");

                  return;
              }


      But SHA224-based signature algorithms should be provided by Java-based security providers on all supported platforms:

      https://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html#SUNProvider

      TLS client sends a signature_algorithms extension in a ClientHello message. The extension contains a list of signature algorithms which the client is okay to use. I noticed that on non-Windows platforms the client includes SHA224-based signature algorithms to the extension, but SHA224-based signature algorithms are not included to the extension on Windows.

      Here is the code which figures out which signature algorithms are available

      http://hg.openjdk.java.net/jdk9/dev/jdk/file/e8f3a872e69a/src/java.base/share/classes/sun/security/ssl/SignatureAndHashAlgorithm.java#l398

      The code checks if SunMSCAPI provider is not available, and if so, it adds SHA224-based signature algorithms. As a result, SHA224-based signatures are not sent in signature_algorithms extension on Windows.

      Since SHA224-based signature algorithms are provided by other security providers, they should be enabled on Windows as well.

            asmotrak Artem Smotrakov
            asmotrak Artem Smotrakov
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved: