JDK-8146293 : Add support for RSASSA-PSS Signature algorithm
  • Type: Enhancement
  • Component: security-libs
  • Sub-Component: java.security
  • Priority: P2
  • Status: Resolved
  • Resolution: Fixed
  • Submitted: 2015-12-15
  • Updated: 2023-09-04
  • Resolved: 2018-05-21
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 11 JDK 8 Other
11 b15Fixed 8u251Fixed openjdk8u252Fixed
Related Reports
Blocks :  
CSR :  
Duplicate :  
Relates :  
Relates :  
Relates :  
Relates :  
Relates :  
Relates :  
Relates :  
Relates :  
Relates :  
Relates :  
Relates :  
Relates :  
Relates :  
Relates :  
Sub Tasks
JDK-8229518 :  
Description
Sync JDK API support and algorithm implementations in default JDK providers to PKCS#1 v2.2, e.g. Add support for RSA-PSS signatures as well as the supported RSA PKCS1.5 signatures and ciphers to the list defined in PKCS#2.2.
Comments
URL: http://hg.openjdk.java.net/jdk/jdk/rev/3195a713e24d User: valeriep Date: 2018-05-21 23:43:12 +0000
21-05-2018

Raising to P2 since this is required for TLS 1.3.
15-02-2018

Here is a quick summary of changes covered under this RFE 1) Enhanced SunRsaSign provider with the following algorithms: Signature.SHA512/224withRSA (1.2.840.113549.1.1.14) Signature.SHA512/256withRSA (1.2.840.113549.1.1.15) Signature.RSA-PSS (1.2.840.113549.1.1.10) Signature.SHA1withRSAandMGF1 Signature.SHA224withRSAandMGF1 Signature.SHA256withRSAandMGF1 Signature.SHA384withRSAandMGF1 Signature.SHA512withRSAandMGF1 Signature.SHA512/224withRSAandMGF1 Signature.SHA512/256withRSAandMGF1 AlgorithmParameters.RSA-PSS 2) Update the public RSA-related parameter spec classes to v2.2 (CSR proposed) 3) Enhance the OAEP parameter SunJCE provider with SHA-512/224 and SHA-512/224 support (new in v2.2)
28-10-2017

For archive purpose, here is the original description ===================================================== Within PKCS 1 standard there are 2 signature schemes defined: PKCS #1 and PSS. Consider adding support for PSS in JDK. The original webbug was about a TLS issue. TLS versions through 1.2 do not support PSS, see my comment from 9/14/2016. However 1.3 under development might. However some certificates (e.g. Microsoft) do use PSS and we do not interoperate. For historical purposes, the original webbug text follows: A DESCRIPTION OF THE REQUEST : I noticed that in the OpenJDK version of AlgorithmId.java there is no mentioned of this particular algorithm. As a results if a ServerCertificate has a RSASSA-PSS based signature then the AlgorithmConstraints check fails. Is there a plan to add this algorithm to the supported list in AlgorithmId? JUSTIFICATION : Our product requires fetching a Web Server certificate for itself from a Microsoft CA. Microsoft CA can issue a Server certificate based on RSASSA-PSS. However once we bind this certificate to our product and make a REST call to the product we get the following error msg - " java.security.cert.CertificateException: Certificates does not conform to algorithm constraints at sun.security.ssl.AbstractTrustManagerWrapper.checkAlgorithmConstraints(SSLContextImpl.java:998) at sun.security.ssl.AbstractTrustManagerWrapper.checkAdditionalTrust(SSLContextImpl.java:924) at sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(SSLContextImpl.java:866) " EXPECTED VERSUS ACTUAL BEHAVIOR : EXPECTED - This Signature algorithm should be allowed. A REST call to a server using an RSASSA-PSS signature for its default certificate should be allowed. ACTUAL - java.security.cert.CertificateException: Certificates does not conform to algorithm constraints at sun.security.ssl.AbstractTrustManagerWrapper.checkAlgorithmConstraints(SSLContextImpl.java:998) at sun.security.ssl.AbstractTrustManagerWrapper.checkAdditionalTrust(SSLContextImpl.java:924) at sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(SSLContextImpl.java:866) =====================================================
28-10-2017

Although RSA-PSS mechanism is listed in PKCS#11 mechanism list. Solaris does not seem to support it even in its upcoming release S11.4. So, SunPKCS11 provider may not be enhanced with this RSA-PSS signature support unless we have a PKCS11 library to test against. (NSS doc mentioned support for RSA-PSS in its 3.22 release)
13-10-2017

This RFE covers SunRsaSign provider for its RSA-PSS support. SunPKCS11 provider and SunMSCAPI provider will be handled separately afterwards.
13-10-2017

Bernd Eckenfels(ecki@zusammenkunft.net, http://bernd.eckenfels.net) post in OpenJDK (http://mail.openjdk.java.net/pipermail/security-dev/2017-June/015967.html): ------------------------------------------------------------------------------------------------- Are there any plans to support RSA PSS as a Signature algorithm? https://bugs.openjdk.java.net/browse/JDK-8146293 In the german energy market RSA PSS is used for signing messages, and authorities demand to use it also for certificate signatures (RFC 4055) starting with 2018. This is somewhat paranoid but hey, it's a field requirement. At the moment BouncyCastle can be used as a Signature provider and if also used to create X509Certificate objects it can even verify the Signature. BTW: when the BC provider is registered the JDK X509Certificate.verify() finds the RSA PSS OID and uses the BC implementation, however the verification fails for non-Standard parameters (which is not uncommon since people try to avoid SHA1 in MFG1j as it does not parse and set the aproperiate parameters. I wonder if the modularity of X509Certificate could be enhanced to allow that? Having an option to extract ParameterSpec from a random signature block would certainly be a nice feature (similar to looking up the algorithm itself by OID) BTW there was some discussion on PKCS#11 supporting it - I think the Athena PKCS11 lib with their JCOS based IDProtect tokens supports RSAPSS as an mechanism. But I guess that are three different topic, JCE Signature, X509CertExtension and PKCS11 mechanism.
09-06-2017

TLS 1.3 will use RSASSA-PSS signature. See also RFC 4055 for its use in X.509 certificate and CRL.
09-06-2017

Nor does Ucrypto library in S11.4. So, for sure OracleUcrypto provider will not have RSA-PSS Signature support.
02-03-2017

The TLS protocol doesn't currently support PSS: RFC 5246: 7.4.2. Server Certificate ...deleted... Note that there are certificates that use algorithms and/or algorithm combinations that cannot be currently used with TLS. For example, a certificate with RSASSA-PSS signature key (id-RSASSA-PSS OID in SubjectPublicKeyInfo) cannot be used because TLS defines no corresponding signature algorithm. ...deleted... However it might be useful to have general (non-TLS) PSS support.
14-09-2016

Need more information to evaluate, as it is not clear if RSASSA-PSS is causing this. The failure indicates that one of the certificates in the server's chain is not compliant with the algorithm or keysizes listed in the jdk.certpath.disabledAlgorithms security property, which in JDK 9, is set to: jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024 Please enable certpath debugging (java -Djava.security.debug=certpath) and attach the log file, and/or attach the server's certificate chain to the bug report.
04-01-2016