-
Bug
-
Resolution: Fixed
-
P3
-
11, 13
-
b30
-
generic
-
generic
-
Verified
| Issue | Fix Version | Assignee | Priority | Status | Resolution | Resolved In Build |
|---|---|---|---|---|---|---|
| JDK-8227625 | 14 | Valerie Peng | P3 | Resolved | Fixed | b06 |
| JDK-8228318 | 13.0.2 | Valerie Peng | P3 | Resolved | Fixed | b01 |
| JDK-8228102 | 13.0.1 | Valerie Peng | P3 | Resolved | Fixed | b02 |
| JDK-8257742 | 11.0.11-oracle | Prajwal Kumaraswamy | P3 | Resolved | Fixed | b01 |
| JDK-8234661 | 11.0.6 | Valerie Peng | P3 | Resolved | Fixed | b05 |
| JDK-8239048 | openjdk8u252 | Bradford Wetmore | P3 | Resolved | Fixed | b03 |
| JDK-8238066 | 8u261 | Bradford Wetmore | P3 | Resolved | Fixed | b01 |
| JDK-8238800 | 8u251 | Bradford Wetmore | P3 | Resolved | Fixed | b04 |
| JDK-8246937 | emb-8u261 | Bradford Wetmore | P3 | Resolved | Fixed | team |
| JDK-8239743 | emb-8u251 | Bradford Wetmore | P3 | Resolved | Fixed | team |
The test is in attachments.
When running with 8, the test completed successfully.
$ $JAVA_HOME/bin/java Main
$ Successfully validated certificate chain using Signature Algorithm: SHA256withECDSA
When running with 11 (and above), the test throws CertPathValidatorException exception caused by CertificateException: Unrecognized algorithm for signature parameters SHA256withECDSA
$JAVA_HOME/bin/java Main
java.security.cert.CertPathValidatorException: signature check failed
at java.base/sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:135)
at java.base/sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:237)
at java.base/sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:145)
at java.base/sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:84)
at java.base/java.security.cert.CertPathValidator.validate(CertPathValidator.java:309)
at Main.validate(Main.java:74)
at Main.testSHA256withECDSA(Main.java:24)
at Main.main(Main.java:10)
Caused by: java.security.cert.CertificateException: Unrecognized algorithm for signature parameters SHA256withECDSA at java.base/sun.security.x509.X509CertImpl.verify(X509CertImpl.java:436)
at java.base/sun.security.provider.certpath.BasicChecker.verifySignature(BasicChecker.java:166)
at java.base/sun.security.provider.certpath.BasicChecker.check(BasicChecker.java:147)
at java.base/sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:125) ... 7 more
Exception in thread "main" java.lang.RuntimeException
at Main.validate(Main.java:78)
at Main.testSHA256withECDSA(Main.java:24)
at Main.main(Main.java:10)
Prior to JDK11 Signature Algorithm inside X509Cert validator were initialized without parameters.
X509Cert validator were updated to initialize signature (any signature) if certificate contains additional algorithm parameters for this signature.
In my understanding it makes sense in case of RSA related (RSASSA-PSS) signature algorithms only. So, there is a proposal to change signature initialization for X509Cert and X509CRL validators to initialize signature with parameters for RSA related signatures (JDK11 logic) and initialize without parameters for other Signature algorithms (JDK8 logic).
Webrev:
http://cr.openjdk.java.net/~dcherepanov/misc/SignatureUtil/webrev/
- backported by
-
JDK-8227625 NoSuchAlgorithmException exception for SHA256withECDSA with RSASSA-PSS support
-
- Resolved
-
-
-
- Resolved
-
-
-
- Resolved
-
-
-
- Resolved
-
-
-
- Resolved
-
-
-
- Resolved
-
-
-
- Resolved
-
-
-
- Resolved
-
-
-
- Resolved
-
-
-
- Resolved
-
- relates to
-
JDK-8146293 Add support for RSASSA-PSS Signature algorithm
-
- Resolved
-
-
-
- Closed
-
-
-
- Closed
-