Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8225745

NoSuchAlgorithmException exception for SHA256withECDSA with RSASSA-PSS support

    Details

    • Type: Bug
    • Status: Closed
    • Priority: P3
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 13
    • Component/s: security-libs
    • Labels:
    • Subcomponent:
    • Resolved In Build:
      b30
    • CPU:
      generic
    • OS:
      generic
    • Verification:
      Verified

      Backports

        Description

        Submitting this issue on behalf of Alexey Bakhtin (alexey@azul.com)

        The test is in attachments.

        When running with 8, the test completed successfully.

        $ $JAVA_HOME/bin/java Main
        $ Successfully validated certificate chain using Signature Algorithm: SHA256withECDSA

        When running with 11 (and above), the test throws CertPathValidatorException exception caused by CertificateException: Unrecognized algorithm for signature parameters SHA256withECDSA

        $JAVA_HOME/bin/java Main
        java.security.cert.CertPathValidatorException: signature check failed
          at java.base/sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:135)
          at java.base/sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:237)
          at java.base/sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:145)
          at java.base/sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:84)
          at java.base/java.security.cert.CertPathValidator.validate(CertPathValidator.java:309)
          at Main.validate(Main.java:74)
               at Main.testSHA256withECDSA(Main.java:24)
          at Main.main(Main.java:10)
        Caused by: java.security.cert.CertificateException: Unrecognized algorithm for signature parameters SHA256withECDSA at java.base/sun.security.x509.X509CertImpl.verify(X509CertImpl.java:436)
        at java.base/sun.security.provider.certpath.BasicChecker.verifySignature(BasicChecker.java:166)
        at java.base/sun.security.provider.certpath.BasicChecker.check(BasicChecker.java:147)
        at java.base/sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:125) ... 7 more
        Exception in thread "main" java.lang.RuntimeException
          at Main.validate(Main.java:78)
          at Main.testSHA256withECDSA(Main.java:24)
          at Main.main(Main.java:10)

        Prior to JDK11 Signature Algorithm inside X509Cert validator were initialized without parameters.

        JDK-8146293 brings RSASSA-PSS signature support which requires Signature initialization with parameters.

        X509Cert validator were updated to initialize signature (any signature) if certificate contains additional algorithm parameters for this signature.

        In my understanding it makes sense in case of RSA related (RSASSA-PSS) signature algorithms only. So, there is a proposal to change signature initialization for X509Cert and X509CRL validators to initialize signature with parameters for RSA related signatures (JDK11 logic) and initialize without parameters for other Signature algorithms (JDK8 logic).

        Webrev:
        http://cr.openjdk.java.net/~dcherepanov/misc/SignatureUtil/webrev/

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  valeriep Valerie Peng
                  Reporter:
                  dcherepanov Dmitry Cherepanov
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  3 Start watching this issue

                  Dates

                  • Due:
                    Created:
                    Updated:
                    Resolved: