Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8184673

Fix compatibility issue in AlgorithmChecker for 3rd party JCE providers

    Details

    • Subcomponent:
    • Introduced In Version:
    • Resolved In Build:
      b16
    • Verification:
      Verified

      Backports

        Description

        The change http://hg.openjdk.java.net/jdk9/dev/jdk/rev/d911fe42d2da to sun.security.provider.certpath.AlgorithmChecker has introduced an incompatibility to legacy JCE providers that would return old naming convention names, like SHA1/RSA, for X509Certificate.getSigAlgName().

        Although the new naming such as SHA1withRSA should be implemented by the providers, it is safe to revert this place to take the signature algorithm name from the internal certificate implementation object that exists at this place anyway. By doing this we can overcome the potential incompatibility.

          Issue Links

            Activity

            clanger Christoph Langer created issue -
            clanger Christoph Langer made changes -
            Field Original Value New Value
            Link This issue relates to JDK-8174849 [ JDK-8174849 ]
            Hide
            clanger Christoph Langer added a comment -
            Show
            clanger Christoph Langer added a comment - The issue has been discussed here: http://mail.openjdk.java.net/pipermail/security-dev/2017-July/016068.html
            clanger Christoph Langer made changes -
            Status New [ 10000 ] Open [ 1 ]
            clanger Christoph Langer made changes -
            Description The change http://hg.openjdk.java.net/jdk9/dev/jdk/rev/d911fe42d2da to sun.security.provider.certpath.AlgorithmChecker.java has introduced an incompatibility to legacy JCE providers that would return old naming convention names, like SHA1/RSA, for X509Certificate.getSigAlgName().

            Although the new naming such as SHA1withRSA should be implemented by the providers, it is safe to revert this place to take the signature algorithm name from the internal certificate implementation object that exists at this place anyway. By doing this we can overcome the potential incompatibility.
            The change http://hg.openjdk.java.net/jdk9/dev/jdk/rev/d911fe42d2da to sun.security.provider.certpath.AlgorithmChecker has introduced an incompatibility to legacy JCE providers that would return old naming convention names, like SHA1/RSA, for X509Certificate.getSigAlgName().

            Although the new naming such as SHA1withRSA should be implemented by the providers, it is safe to revert this place to take the signature algorithm name from the internal certificate implementation object that exists at this place anyway. By doing this we can overcome the potential incompatibility.
            mullan Sean Mullan made changes -
            Fix Version/s 10 [ 16302 ]
            clanger Christoph Langer made changes -
            Labels noreg-external
            Hide
            hgupdate HG Updates added a comment -
            URL: http://hg.openjdk.java.net/jdk10/jdk10/jdk/rev/46a03a1d296c
            User: clanger
            Date: 2017-07-17 12:24:34 +0000
            Show
            hgupdate HG Updates added a comment - URL: http://hg.openjdk.java.net/jdk10/jdk10/jdk/rev/46a03a1d296c User: clanger Date: 2017-07-17 12:24:34 +0000
            hgupdate HG Updates made changes -
            Status Open [ 1 ] Resolved [ 5 ]
            Resolved In Build master [ 18256 ]
            Resolution Fixed [ 1 ]
            clanger Christoph Langer made changes -
            Labels noreg-external 9-bp noreg-external
            coffeys Sean Coffey made changes -
            Link This issue backported by JDK-8184743 [ JDK-8184743 ]
            clanger Christoph Langer made changes -
            Labels 9-bp noreg-external noreg-external
            hgupdate HG Updates made changes -
            Link This issue backported by JDK-8184745 [ JDK-8184745 ]
            ascarpino Anthony Scarpino made changes -
            Link This issue backport of JDK-8184767 [ JDK-8184767 ]
            ascarpino Anthony Scarpino made changes -
            Link This issue relates to JDK-8184802 [ JDK-8184802 ]
            ascarpino Anthony Scarpino made changes -
            Link This issue backport of JDK-8184767 [ JDK-8184767 ]
            hgupdate HG Updates made changes -
            Resolved In Build master [ 18256 ] b16 [ 17312 ]
            andrew Andrew Hughes made changes -
            Labels noreg-external 8u-CPU-critical-request noreg-external
            andrew Andrew Hughes made changes -
            Link This issue relates to JDK-8176536 [ JDK-8176536 ]
            Hide
            andrew Andrew Hughes added a comment -
            8174849 is also part of this multi-backport patch applied to earlier releases.
            Show
            andrew Andrew Hughes added a comment - 8174849 is also part of this multi-backport patch applied to earlier releases.
            Hide
            coffeys Sean Coffey added a comment -
            [~andrew] please add background to why the critical request label is on this issue. It's already fixed in the jdk8u-dev code line.
            Show
            coffeys Sean Coffey added a comment - [~andrew] please add background to why the critical request label is on this issue. It's already fixed in the jdk8u-dev code line.
            robm Robert Mckenna made changes -
            Labels 8u-CPU-critical-request noreg-external noreg-external
            Hide
            robm Robert Mckenna added a comment -
            no response, removing label for now.
            Show
            robm Robert Mckenna added a comment - no response, removing label for now.
            andrew Andrew Hughes made changes -
            Labels noreg-external 8u-CPU-critical-request noreg-external
            Hide
            andrew Andrew Hughes added a comment -
            No response, over a weekend... :/

            This regression should have been resolved in 8u151. I added the label before that was released.

            We would still like to see it fixed in 8u161 if possible, which I believe is based on 8u152, not 8u162.
            Show
            andrew Andrew Hughes added a comment - No response, over a weekend... :/ This regression should have been resolved in 8u151. I added the label before that was released. We would still like to see it fixed in 8u161 if possible, which I believe is based on 8u152, not 8u162.
            Hide
            rhalade Rajan Halade added a comment -
            Should this also be backported to JDK 9.0.4 along with 8u161?
            Show
            rhalade Rajan Halade added a comment - Should this also be backported to JDK 9.0.4 along with 8u161?
            coffeys Sean Coffey made changes -
            Labels 8u-CPU-critical-request noreg-external 8u-CPU-critical-request CPU18_01-critical-request noreg-external regression
            Hide
            andrew Andrew Hughes added a comment -
            I think so. I don't see it in 9 at all at present.
            Show
            andrew Andrew Hughes added a comment - I think so. I don't see it in 9 at all at present.
            Hide
            coffeys Sean Coffey added a comment -
            This request came in for 8uX fix if I recall correctly (8u critical request) . Let's fix there first. Fixed already in JDK 10.
            Show
            coffeys Sean Coffey added a comment - This request came in for 8uX fix if I recall correctly (8u critical request) . Let's fix there first. Fixed already in JDK 10.
            rhalade Rajan Halade made changes -
            Labels 8u-CPU-critical-request CPU18_01-critical-request noreg-external regression 8u-CPU-critical-request CPU18_01-critical-SQE-OK CPU18_01-critical-request noreg-external regression
            wyandi Winston Yandi made changes -
            Labels 8u-CPU-critical-request CPU18_01-critical-SQE-OK CPU18_01-critical-request noreg-external regression 8u-CPU-critical-request CPU18_01-critical-SQE-OK CPU18_01-critical-approved noreg-external regression
            hgupdate HG Updates made changes -
            Link This issue backported by JDK-8190490 [ JDK-8190490 ]
            wyandi Winston Yandi made changes -
            Labels 8u-CPU-critical-request CPU18_01-critical-SQE-OK CPU18_01-critical-approved noreg-external regression 8u-CPU-critical-approved CPU18_01-critical-SQE-OK CPU18_01-critical-approved noreg-external regression
            hgupdate HG Updates made changes -
            Link This issue backported by JDK-8190622 [ JDK-8190622 ]
            hgupdate HG Updates made changes -
            Link This issue backported by JDK-8192661 [ JDK-8192661 ]
            hgupdate HG Updates made changes -
            Link This issue backported by JDK-8194033 [ JDK-8194033 ]
            hgupdate HG Updates made changes -
            Link This issue backported by JDK-8195542 [ JDK-8195542 ]
            jjiang John Jiang made changes -
            Status Resolved [ 5 ] Closed [ 6 ]
            Verification Verified [ 17000 ]
            hgupdate HG Updates made changes -
            Link This issue backported by JDK-8197369 [ JDK-8197369 ]
            hgupdate HG Updates made changes -
            Link This issue backported by JDK-8198115 [ JDK-8198115 ]

              People

              • Assignee:
                clanger Christoph Langer
                Reporter:
                clanger Christoph Langer
              • Votes:
                0 Vote for this issue
                Watchers:
                10 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: