Details
-
Bug
-
Resolution: Fixed
-
P3
-
11
-
b26
-
generic
-
generic
Backports
Issue | Fix Version | Assignee | Priority | Status | Resolution | Resolved In Build |
---|---|---|---|---|---|---|
JDK-8215676 | 13 | Valerie Peng | P3 | Resolved | Fixed | b01 |
JDK-8216106 | 12.0.1 | Valerie Peng | P3 | Resolved | Fixed | master |
JDK-8259602 | 11.0.11-oracle | Prajwal Kumaraswamy | P3 | Resolved | Won't Fix | |
JDK-8227088 | 11.0.5 | Valerie Peng | P3 | Resolved | Fixed | b01 |
JDK-8239042 | openjdk8u252 | Bradford Wetmore | P3 | Resolved | Fixed | b03 |
JDK-8238060 | 8u261 | Bradford Wetmore | P3 | Resolved | Fixed | b01 |
JDK-8238794 | 8u251 | Bradford Wetmore | P3 | Resolved | Fixed | b04 |
JDK-8246931 | emb-8u261 | Bradford Wetmore | P3 | Resolved | Fixed | team |
JDK-8239737 | emb-8u251 | Bradford Wetmore | P3 | Resolved | Fixed | team |
Description
The class method;
public static void specialSetParameter(Signature sig, AlgorithmParameters params)
Has a call to sig.setParameter(null) which only catches UnsupportedOperationException. I'll leave the debate as to why it is calling with null to other people, but the catch clause around the call should catch NullPointerException as that would be an acceptable exception for a provider to throw and also InvalidAlgorithmParameterException as it is actually the defined exception for setParameter() if bad AlgorithmParameters are passed.
In the case of third party crypto providers, such as bc-fips-1.0.1.jar this is particularly serious as it leads to a:
JCE cannot authenticate the provider BCFIPS
caused by:
java.util.jar.JarException: file:/tmp/bc-fips-1.0.1.jar is not signed by a trusted signer.
which is the result of the escaping exception generated by sig.setParameters(null).
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Place a third party provider such as BC-FJA 1.0.1 first in the java.security file as in:
security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider
Compile and run the ProviderTest class:
javac -classpath bc-fips-1.0.1.jar ProviderTest.java
java -cp .:bc-fips-1.0.1.jar ProviderTest
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
JVM SecurityProvider list:
Provider at position = 1 has name = BCFIPS
Provider at position = 2 has name = SUN
Provider at position = 3 has name = SunRsaSign
Provider at position = 4 has name = SunEC
Provider at position = 5 has name = SunJSSE
Provider at position = 6 has name = SunJCE
Provider at position = 7 has name = SunJGSS
Provider at position = 8 has name = SunSASL
Provider at position = 9 has name = XMLDSig
Provider at position = 10 has name = SunPCSC
Provider at position = 11 has name = JdkLDAP
Provider at position = 12 has name = JdkSASL
Provider at position = 13 has name = SunPKCS11
WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider$CoreSecureRandom (file:/tmp/java11/bc-fips-1.0.1.jar) to method sun.security.jca.Providers.getSunProvider()
WARNING: Please consider reporting this to the maintainers of org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider$CoreSecureRandom
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release
ACTUAL -
JVM SecurityProvider list:
Provider at position = 1 has name = BCFIPS
Provider at position = 2 has name = SUN
Provider at position = 3 has name = SunRsaSign
Provider at position = 4 has name = SunEC
Provider at position = 5 has name = SunJSSE
Provider at position = 6 has name = SunJCE
Provider at position = 7 has name = SunJGSS
Provider at position = 8 has name = SunSASL
Provider at position = 9 has name = XMLDSig
Provider at position = 10 has name = SunPCSC
Provider at position = 11 has name = JdkLDAP
Provider at position = 12 has name = JdkSASL
Provider at position = 13 has name = SunPKCS11
WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider$CoreSecureRandom (file:/tmp/java11/bc-fips-1.0.1.jar) to method sun.security.jca.Providers.getSunProvider()
WARNING: Please consider reporting this to the maintainers of org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider$CoreSecureRandom
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release
java.lang.SecurityException: JCE cannot authenticate the provider BCFIPS
at java.base/javax.crypto.Cipher.getInstance(Cipher.java:694)
at java.base/javax.crypto.Cipher.getInstance(Cipher.java:625)
at ProviderTest.main(ProviderTest.java:14)
Caused by: java.util.jar.JarException: file:/tmp/java11/bc-fips-1.0.1.jar is not signed by a trusted signer.
at java.base/javax.crypto.JarVerifier.verifySingleJar(JarVerifier.java:498)
at java.base/javax.crypto.JarVerifier.verifyJars(JarVerifier.java:314)
at java.base/javax.crypto.JarVerifier.verify(JarVerifier.java:257)
at java.base/javax.crypto.ProviderVerifier.verify(ProviderVerifier.java:129)
at java.base/javax.crypto.JceSecurity.verifyProvider(JceSecurity.java:191)
at java.base/javax.crypto.JceSecurity.getVerificationResult(JceSecurity.java:217)
at java.base/javax.crypto.Cipher.getInstance(Cipher.java:690)
... 2 more
---------- BEGIN SOURCE ----------
import javax.crypto.*;
import java.io.*;
import java.security.*;
public class ProviderTest
{
public static void main(String[] args)
{
try
{
printProviders();
Cipher.getInstance("AES", "BCFIPS");
}
catch (Exception e)
{
e.printStackTrace();
}
}
public static void printProviders()
{
System.out.println( "JVM SecurityProvider list:\n");
Provider[] providers = Security.getProviders();
for(int i=0; i < providers.length; i++)
{
Provider provider = providers[i];
System.out.println( "Provider at position = "+ (i+1) +" has name = "+provider.getName() );
}
}
}
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
No work around available.
Attachments
Issue Links
- backported by
-
JDK-8215676 sun.security.util.SignatureUtil passes null parameter, so JCE validation fails
- Resolved
-
JDK-8216106 sun.security.util.SignatureUtil passes null parameter, so JCE validation fails
- Resolved
-
JDK-8227088 sun.security.util.SignatureUtil passes null parameter, so JCE validation fails
- Resolved
-
JDK-8238060 sun.security.util.SignatureUtil passes null parameter, so JCE validation fails
- Resolved
-
JDK-8238794 sun.security.util.SignatureUtil passes null parameter, so JCE validation fails
- Resolved
-
JDK-8239042 sun.security.util.SignatureUtil passes null parameter, so JCE validation fails
- Resolved
-
JDK-8239737 sun.security.util.SignatureUtil passes null parameter, so JCE validation fails
- Resolved
-
JDK-8246931 sun.security.util.SignatureUtil passes null parameter, so JCE validation fails
- Resolved
-
JDK-8259602 sun.security.util.SignatureUtil passes null parameter, so JCE validation fails
- Resolved
- relates to
-
JDK-8146293 Add support for RSASSA-PSS Signature algorithm
- Resolved