JDK-8206171 : Signature#getParameters for RSASSA-PSS throws ProviderException when not initialized
  • Type: Bug
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 11
  • Priority: P3
  • Status: Resolved
  • Resolution: Fixed
  • Submitted: 2018-07-02
  • Updated: 2020-06-09
  • Resolved: 2018-07-23
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 11 JDK 12 JDK 8 Other
11 b24Fixed 12Fixed 8u251Fixed openjdk8u252Fixed
Related Reports
CSR :  
Relates :  
Relates :  
When I  call this method "Signature.getInstance("RSASSA-PSS").getParameters()" without initializing the Signature parameters, I get the following exception,
Exception java.security.ProviderException: Missing required PSS parameters
       at RSAPSSSignature.engineGetParameters (RSAPSSSignature.java:608)
       at Signature$Delegate.engineGetParameters (Signature.java:1275)
Signature#getParamters() specification says:
"The returned parameters   may contain a combination of default and randomly generated parameter values used by the underlying signature implementation if this signature requires algorithm parameters but was not initialized with any."
Specification does not state any possible exceptions being thrown.
Also, when I check with other algorithms like ���RSA���, ���DSA��� , this issue is not there.
For e.g.
jshell> Signature.getInstance("SHA256withDSA").getParameters()
$58 ==> null

jshell> Signature.getInstance("SHA256withRSA").getParameters()
$59 ==> null
This bug is filed for clarification of specification (see comment)
Please clarify the specification to include a possible exception being thrown (ProviderException for RSASSA-PSS) or other possible exceptions for future Signature algorithms that require mandatory parameters by the user before any operations could be performed, and user did not set any parameters before using the Signature operations (sign, update, verify).
null could be returned (as per specification)

Will file a CSR per feedback from JCK team for additional clarification of Signature.getParameters() API.

Null is returned when the signature does not use parameters. As RSASSA-PSS signatures require parameters, null isn't a valid return value. As for generating default parameters, it may seem convenient/user friendly, however it has several significant drawbacks. To name a few: - Users may not be aware of the usage of parameters if it is generated for them. - As computing powers grow, default values/algorithms may become weak and obsolete later. Thus, it is better to error out when getParameters() is called but the signature object isn't supplied with one.