Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8225745

NoSuchAlgorithmException exception for SHA256withECDSA with RSASSA-PSS support

    XMLWordPrintable

Details

    • b30
    • generic
    • generic
    • Verified

    Backports

      Description

        Submitting this issue on behalf of Alexey Bakhtin (alexey@azul.com)

        The test is in attachments.

        When running with 8, the test completed successfully.

        $ $JAVA_HOME/bin/java Main
        $ Successfully validated certificate chain using Signature Algorithm: SHA256withECDSA

        When running with 11 (and above), the test throws CertPathValidatorException exception caused by CertificateException: Unrecognized algorithm for signature parameters SHA256withECDSA

        $JAVA_HOME/bin/java Main
        java.security.cert.CertPathValidatorException: signature check failed
          at java.base/sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:135)
          at java.base/sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:237)
          at java.base/sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:145)
          at java.base/sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:84)
          at java.base/java.security.cert.CertPathValidator.validate(CertPathValidator.java:309)
          at Main.validate(Main.java:74)
               at Main.testSHA256withECDSA(Main.java:24)
          at Main.main(Main.java:10)
        Caused by: java.security.cert.CertificateException: Unrecognized algorithm for signature parameters SHA256withECDSA at java.base/sun.security.x509.X509CertImpl.verify(X509CertImpl.java:436)
        at java.base/sun.security.provider.certpath.BasicChecker.verifySignature(BasicChecker.java:166)
        at java.base/sun.security.provider.certpath.BasicChecker.check(BasicChecker.java:147)
        at java.base/sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:125) ... 7 more
        Exception in thread "main" java.lang.RuntimeException
          at Main.validate(Main.java:78)
          at Main.testSHA256withECDSA(Main.java:24)
          at Main.main(Main.java:10)

        Prior to JDK11 Signature Algorithm inside X509Cert validator were initialized without parameters.

        JDK-8146293 brings RSASSA-PSS signature support which requires Signature initialization with parameters.

        X509Cert validator were updated to initialize signature (any signature) if certificate contains additional algorithm parameters for this signature.

        In my understanding it makes sense in case of RSA related (RSASSA-PSS) signature algorithms only. So, there is a proposal to change signature initialization for X509Cert and X509CRL validators to initialize signature with parameters for RSA related signatures (JDK11 logic) and initialize without parameters for other Signature algorithms (JDK8 logic).

        Webrev:
        http://cr.openjdk.java.net/~dcherepanov/misc/SignatureUtil/webrev/

        Attachments

          Issue Links

            backported by

            Backport - A issue that is required to port a Bug or Feature into another product release. This issue type is generally associated with the main Bug/Feature to represent each individual release of the port. JDK-8227625 NoSuchAlgorithmException exception for SHA256withECDSA with RSASSA-PSS support

            • P3 - Major loss of function.
            • Resolved

            Backport - A issue that is required to port a Bug or Feature into another product release. This issue type is generally associated with the main Bug/Feature to represent each individual release of the port. JDK-8228102 NoSuchAlgorithmException exception for SHA256withECDSA with RSASSA-PSS support

            • P3 - Major loss of function.
            • Resolved

            Backport - A issue that is required to port a Bug or Feature into another product release. This issue type is generally associated with the main Bug/Feature to represent each individual release of the port. JDK-8228318 NoSuchAlgorithmException exception for SHA256withECDSA with RSASSA-PSS support

            • P3 - Major loss of function.
            • Resolved

            Backport - A issue that is required to port a Bug or Feature into another product release. This issue type is generally associated with the main Bug/Feature to represent each individual release of the port. JDK-8234661 NoSuchAlgorithmException exception for SHA256withECDSA with RSASSA-PSS support

            • P3 - Major loss of function.
            • Resolved

            Backport - A issue that is required to port a Bug or Feature into another product release. This issue type is generally associated with the main Bug/Feature to represent each individual release of the port. JDK-8238066 NoSuchAlgorithmException exception for SHA256withECDSA with RSASSA-PSS support

            • P3 - Major loss of function.
            • Resolved

            Backport - A issue that is required to port a Bug or Feature into another product release. This issue type is generally associated with the main Bug/Feature to represent each individual release of the port. JDK-8238800 NoSuchAlgorithmException exception for SHA256withECDSA with RSASSA-PSS support

            • P3 - Major loss of function.
            • Resolved

            Backport - A issue that is required to port a Bug or Feature into another product release. This issue type is generally associated with the main Bug/Feature to represent each individual release of the port. JDK-8239048 NoSuchAlgorithmException exception for SHA256withECDSA with RSASSA-PSS support

            • P3 - Major loss of function.
            • Resolved

            Backport - A issue that is required to port a Bug or Feature into another product release. This issue type is generally associated with the main Bug/Feature to represent each individual release of the port. JDK-8239743 NoSuchAlgorithmException exception for SHA256withECDSA with RSASSA-PSS support

            • P3 - Major loss of function.
            • Resolved

            Backport - A issue that is required to port a Bug or Feature into another product release. This issue type is generally associated with the main Bug/Feature to represent each individual release of the port. JDK-8246937 NoSuchAlgorithmException exception for SHA256withECDSA with RSASSA-PSS support

            • P3 - Major loss of function.
            • Resolved

            Backport - A issue that is required to port a Bug or Feature into another product release. This issue type is generally associated with the main Bug/Feature to represent each individual release of the port. JDK-8257742 NoSuchAlgorithmException exception for SHA256withECDSA with RSASSA-PSS support

            • P3 - Major loss of function.
            • Resolved
            relates to

            Enhancement - null JDK-8146293 Add support for RSASSA-PSS Signature algorithm

            • P2 - Crashes, loss of data, severe memory leak.
            • Resolved

            Bug - A problem which impairs or prevents the functions of the product. JDK-8286908 ECDSA signature should not return parameters

            • P4 - Minor loss of function, or other problem where easy workaround is present.
            • Closed

            Bug - A problem which impairs or prevents the functions of the product. JDK-8288728 Support for signature SHA256withECDSA for intermediate certificates.

            • P4 - Minor loss of function, or other problem where easy workaround is present.
            • Closed

            Activity

              People

                valeriep Valerie Peng
                dcherepanov Dmitry Cherepanov
                Votes:
                0 Vote for this issue
                Watchers:
                6 Start watching this issue

                Dates

                  Created:
                  Updated:
                  Resolved: