Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8248313

Default signature algorithm for an RSASSA-PSS key

    XMLWordPrintable

    Details

    • Subcomponent:
    • Compatibility Kind:
      behavioral
    • Compatibility Risk:
      minimal
    • Compatibility Risk Description:
      Before this fix, a -sigalg must always be specified for an RSASSA-PSS key. Now it's not necessary.
    • Interface Kind:
      add/remove/modify command line option
    • Scope:
      JDK

      Description

      Summary

      Define the default signature algorithm of an RSASSA-PSS key for keytool and jarsigner.

      Problem

      Both keytool and jarsigner support default signature algorithms when no -sigalg is specified. For example, SHA256withRSA for an RSA key. We need to define one for an RSASSA-PSS key.

      Currently, an error occurs if it's not provided:

      $ keytool -genkeypair -keyalg rsassa-pss -storepass changeit -dname CN=A
      keytool error: java.lang.IllegalArgumentException: Cannot derive signature algorithm from RSASSA-PSS

      Solution

      The default signature algorithm for an RSASSA-PSS key is RSASSA-PSS.

      Specification

      diff --git a/closed/src/java.base/share/man/keytool.md b/closed/src/java.base/share/man/keytool.md
      --- a/closed/src/java.base/share/man/keytool.md
      +++ b/closed/src/java.base/share/man/keytool.md
      @@ -1241,16 +1241,17 @@
       algorithm (`-sigalg` option) is derived from the algorithm of the underlying
       private key to provide an appropriate level of security strength as follows:
      
      -keyalg   keysize   default sigalg
      --------  --------  --------------
      -DSA      any size  SHA256withDSA
      -RSA      \<= 3072  SHA256withRSA
      -         \<= 7680  SHA384withRSA
      -         \> 7680   SHA512withRSA
      -EC       \< 384    SHA256withECDSA
      -         \< 512    SHA384withECDSA
      -         = 512     SHA512withECDSA
      --------  --------  --------------
      +keyalg      keysize   default sigalg
      +----------  --------  --------------
      +DSA         any size  SHA256withDSA
      +RSA         \<= 3072  SHA256withRSA
      +            \<= 7680  SHA384withRSA
      +            \> 7680   SHA512withRSA
      +EC          \< 384    SHA256withECDSA
      +            \< 512    SHA384withECDSA
      +            = 512     SHA512withECDSA
      +RSASSA-PSS  any size  RSASSA-PSS
      +----------  --------  --------------
      
       **Note:**
      
      diff --git a/closed/src/jdk.jartool/share/man/jarsigner.md b/closed/src/jdk.jartool/share/man/jarsigner.md
      --- a/closed/src/jdk.jartool/share/man/jarsigner.md
      +++ b/closed/src/jdk.jartool/share/man/jarsigner.md
      @@ -226,16 +226,17 @@
       By default, the `jarsigner` command signs a JAR file using one of the following
       algorithms files depending on the type and size of the private key:
      
      -keyalg   keysize   default sigalg
      --------  --------  --------------
      -DSA      any size  SHA256withDSA
      -RSA      \<= 3072  SHA256withRSA
      -         \<= 7680  SHA384withRSA
      -         \> 7680   SHA512withRSA
      -EC       \< 384    SHA256withECDSA
      -         \< 512    SHA384withECDSA
      -         = 512     SHA512withECDSA
      --------  --------  --------------
      +keyalg      keysize   default sigalg
      +----------  --------  --------------
      +DSA         any size  SHA256withDSA
      +RSA         \<= 3072  SHA256withRSA
      +            \<= 7680  SHA384withRSA
      +            \> 7680   SHA512withRSA
      +EC          \< 384    SHA256withECDSA
      +            \< 512    SHA384withECDSA
      +            = 512     SHA512withECDSA
      +RSASSA-PSS  any size  RSASSA-PSS
      +----------  --------  --------------
      
       These default signature algorithms can be overridden by using the `-sigalg`
       option.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              pkumaraswamy Prajwal Kumaraswamy
              Reporter:
              weijun Weijun Wang
              Reviewed By:
              Prasadarao Koppula
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: