Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8214096

sun.security.util.SignatureUtil passes null parameter, so JCE validation fails

    Details

    • Subcomponent:
    • Resolved In Build:
      b26
    • CPU:
      generic
    • OS:
      generic

      Backports

        Description

        A DESCRIPTION OF THE PROBLEM :
        The class method;

         public static void specialSetParameter(Signature sig, AlgorithmParameters params)

        Has a call to sig.setParameter(null) which only catches UnsupportedOperationException. I'll leave the debate as to why it is calling with null to other people, but the catch clause around the call should catch NullPointerException as that would be an acceptable exception for a provider to throw and also InvalidAlgorithmParameterException as it is actually the defined exception for setParameter() if bad AlgorithmParameters are passed.

        In the case of third party crypto providers, such as bc-fips-1.0.1.jar this is particularly serious as it leads to a:

        JCE cannot authenticate the provider BCFIPS

        caused by:

        java.util.jar.JarException: file:/tmp/bc-fips-1.0.1.jar is not signed by a trusted signer.

        which is the result of the escaping exception generated by sig.setParameters(null).

        STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
        Place a third party provider such as BC-FJA 1.0.1 first in the java.security file as in:

        security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider

        Compile and run the ProviderTest class:

        javac -classpath bc-fips-1.0.1.jar ProviderTest.java
        java -cp .:bc-fips-1.0.1.jar ProviderTest

        EXPECTED VERSUS ACTUAL BEHAVIOR :
        EXPECTED -
        JVM SecurityProvider list:

        Provider at position = 1 has name = BCFIPS
        Provider at position = 2 has name = SUN
        Provider at position = 3 has name = SunRsaSign
        Provider at position = 4 has name = SunEC
        Provider at position = 5 has name = SunJSSE
        Provider at position = 6 has name = SunJCE
        Provider at position = 7 has name = SunJGSS
        Provider at position = 8 has name = SunSASL
        Provider at position = 9 has name = XMLDSig
        Provider at position = 10 has name = SunPCSC
        Provider at position = 11 has name = JdkLDAP
        Provider at position = 12 has name = JdkSASL
        Provider at position = 13 has name = SunPKCS11
        WARNING: An illegal reflective access operation has occurred
        WARNING: Illegal reflective access by org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider$CoreSecureRandom (file:/tmp/java11/bc-fips-1.0.1.jar) to method sun.security.jca.Providers.getSunProvider()
        WARNING: Please consider reporting this to the maintainers of org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider$CoreSecureRandom
        WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
        WARNING: All illegal access operations will be denied in a future release
        ACTUAL -
        JVM SecurityProvider list:

        Provider at position = 1 has name = BCFIPS
        Provider at position = 2 has name = SUN
        Provider at position = 3 has name = SunRsaSign
        Provider at position = 4 has name = SunEC
        Provider at position = 5 has name = SunJSSE
        Provider at position = 6 has name = SunJCE
        Provider at position = 7 has name = SunJGSS
        Provider at position = 8 has name = SunSASL
        Provider at position = 9 has name = XMLDSig
        Provider at position = 10 has name = SunPCSC
        Provider at position = 11 has name = JdkLDAP
        Provider at position = 12 has name = JdkSASL
        Provider at position = 13 has name = SunPKCS11
        WARNING: An illegal reflective access operation has occurred
        WARNING: Illegal reflective access by org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider$CoreSecureRandom (file:/tmp/java11/bc-fips-1.0.1.jar) to method sun.security.jca.Providers.getSunProvider()
        WARNING: Please consider reporting this to the maintainers of org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider$CoreSecureRandom
        WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
        WARNING: All illegal access operations will be denied in a future release
        java.lang.SecurityException: JCE cannot authenticate the provider BCFIPS
        at java.base/javax.crypto.Cipher.getInstance(Cipher.java:694)
        at java.base/javax.crypto.Cipher.getInstance(Cipher.java:625)
        at ProviderTest.main(ProviderTest.java:14)
        Caused by: java.util.jar.JarException: file:/tmp/java11/bc-fips-1.0.1.jar is not signed by a trusted signer.
        at java.base/javax.crypto.JarVerifier.verifySingleJar(JarVerifier.java:498)
        at java.base/javax.crypto.JarVerifier.verifyJars(JarVerifier.java:314)
        at java.base/javax.crypto.JarVerifier.verify(JarVerifier.java:257)
        at java.base/javax.crypto.ProviderVerifier.verify(ProviderVerifier.java:129)
        at java.base/javax.crypto.JceSecurity.verifyProvider(JceSecurity.java:191)
        at java.base/javax.crypto.JceSecurity.getVerificationResult(JceSecurity.java:217)
        at java.base/javax.crypto.Cipher.getInstance(Cipher.java:690)
        ... 2 more


        ---------- BEGIN SOURCE ----------
        import javax.crypto.*;
        import java.io.*;
        import java.security.*;

        public class ProviderTest
        {
            public static void main(String[] args)
            {
                try
                {
                    printProviders();

                    Cipher.getInstance("AES", "BCFIPS");
                }
                catch (Exception e)
                {
                    e.printStackTrace();
                }
            }

            public static void printProviders()
            {
                System.out.println( "JVM SecurityProvider list:\n");
                Provider[] providers = Security.getProviders();
                for(int i=0; i < providers.length; i++)
                {
                    Provider provider = providers[i];
                    System.out.println( "Provider at position = "+ (i+1) +" has name = "+provider.getName() );
                }
            }
        }

        ---------- END SOURCE ----------

        CUSTOMER SUBMITTED WORKAROUND :
        No work around available.

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  valeriep Valerie Peng
                  Reporter:
                  webbuggrp Webbug Group
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  4 Start watching this issue

                  Dates

                  • Due:
                    Created:
                    Updated:
                    Resolved: