Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8233418

Add support for RSASSA-PSS Signature algorithm (Java SE 8)

    XMLWordPrintable

    Details

    • Subcomponent:
    • Compatibility Kind:
      source
    • Compatibility Risk:
      low
    • Compatibility Risk Description:
      There was some reworking on the implementation code to support PSS. However, it's being used in JDK, so shouldn't be as risky as brand new code.
    • Interface Kind:
      Java API
    • Scope:
      SE

      Description

      Summary

      Add support for RSASSA-PSS Signature algorithm in Java SE 8.

      Problem

      PKCS#1 v2.2 (RFC 8017) provides recommendations for the implementation of public-key cryptography based on the RSA algorithm [RSA].

      Existing Java SE security APIs and JDK crypto providers support most but not all algorithms in PKCS#1 and need to be updated to support PKCS#1 v2.2.

      To preserve compatibility with newer platform releases, the Java SE 11 RSASSA-PSS APIs will be backported to Java SE 8.

      Solution

      1. Update all PKCS#1 v2.1 references with the PKCS#1 v2.2 standard and its ASN.1 syntax
      2. Enhance existing RSA-related classes for supporting RSASSA-PSS keys which may contain parameters
      3. Add RSASSA-PSS (Probabilistic Signature Scheme) implementation support to SunRsaSign provider
      4. Add the support of SHA-512/224 and SHA-512/256 digests.
      5. Add the support of SHA-512/224 and SHA-512/256 digests to the OAEPPadding impl of RSA Cipher implementation in SunJCE provider

      There are 2 API bugs to be backported:

      APIs:

      JDK-8146293: Add support for RSASSA-PSS Signature algorithm

      JDK-8206171: Signature#getParameters for RSASSA-PSS throws ProviderException when not initialized

      Specification

      See the attached webrev for full details. I am including all non-trivial changes to the API files, which include:

      1. Narrative textual changes that we now follow a newer RFC. E.g. we now support RFC 8017 instead of earlier versions of PKCS#1. It updates the spec name and some of the fields found within it, but there are no changes to the APIs.

      2. We updated/clarified what constructors/methods should do in specific cases like omitted parameters. E.g. Signature.getParameters().

      3. Several new fields/methods were added.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              wetmore Bradford Wetmore
              Reporter:
              wetmore Bradford Wetmore
              Reviewed By:
              Valerie Peng
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: