Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8366263

Block signature scheme names to be used with CertificateSignature algorithm constraints usage

XMLWordPrintable

    • Icon: CSR CSR
    • Resolution: Unresolved
    • Icon: P4 P4
    • None
    • security-libs
    • None
    • behavioral
    • minimal
    • System or security property
    • JDK

      Summary

      Block signature scheme names to be used with CertificateSignature algorithm constraints usage

      Problem

      Users can be confused when trying to block RSASSA-PSS certificate signature by specifying one of the rsa_pss_* signature schemes with CertificateSignature algorithm usage constraint. RSASSA-PSS certificate signature algorithm corresponds to multiple signature scheme names and blocking one of those signature scheme with CertificateSignature usage directive won't block RSASSA-PSS certificate signature because other rsa_pss_* signature schemes still will be allowed.

      Solution

      Block signature scheme names to be used with CertificateSignature algorithm constraints usage and update documentation in java.security config file.

      Specification

      --- a/src/java.base/share/conf/security/java.security
      +++ b/src/java.base/share/conf/security/java.security
      @@ -755,7 +755,12 @@ http.auth.digest.disabledAlgorithms = MD5, SHA-1
       #     other usage types defined in the jdk.certpath.disabledAlgorithms
       #     property. The usage type follows the keyword and more than one usage type
       #     can be specified with a whitespace delimiter.
      -#     Example: "rsa_pkcs1_sha1 usage HandshakeSignature"
      +#     Note that TLS signature scheme names can't be used as algorithms with
      +#     CertificateSignature usage type, only certificate's signature algorithm
      +#     or certificate's key algorithm are supported for this usage type.
      +#     Examples:
      +#       - rsa_pkcs1_sha1 usage HandshakeSignature
      +#       - SHA1withRSA usage CertificateSignature
       #

            abarashev Artur Barashev
            abarashev Artur Barashev
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

              Created:
              Updated: