JDK-8225745 : NoSuchAlgorithmException exception for SHA256withECDSA with RSASSA-PSS support
  • Type: Bug
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 11,13
  • Priority: P3
  • Status: Closed
  • Resolution: Fixed
  • OS: generic
  • CPU: generic
  • Submitted: 2019-06-13
  • Updated: 2021-01-08
  • Resolved: 2019-07-11
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 11 JDK 8 Other
11.0.11-oracleFixed 8u251Fixed openjdk8u252Fixed
Related Reports
Relates :  
Submitting this issue on behalf of Alexey Bakhtin (alexey@azul.com)

The test is in attachments.

When running with 8, the test completed successfully.

$ $JAVA_HOME/bin/java Main
$ Successfully validated certificate chain using Signature Algorithm: SHA256withECDSA

When running with 11 (and above), the test throws CertPathValidatorException exception caused by CertificateException: Unrecognized algorithm for signature parameters SHA256withECDSA

$JAVA_HOME/bin/java Main
java.security.cert.CertPathValidatorException: signature check failed
 	at java.base/sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:135)
 	at java.base/sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:237)
 	at java.base/sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:145)
 	at java.base/sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:84)
 	at java.base/java.security.cert.CertPathValidator.validate(CertPathValidator.java:309)
 	at Main.validate(Main.java:74)
       at Main.testSHA256withECDSA(Main.java:24)
 	at Main.main(Main.java:10) 
Caused by: java.security.cert.CertificateException: Unrecognized algorithm for signature parameters SHA256withECDSA 	at java.base/sun.security.x509.X509CertImpl.verify(X509CertImpl.java:436) 
	at java.base/sun.security.provider.certpath.BasicChecker.verifySignature(BasicChecker.java:166) 
	at java.base/sun.security.provider.certpath.BasicChecker.check(BasicChecker.java:147) 
	at java.base/sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:125) 	... 7 more
Exception in thread "main" java.lang.RuntimeException
 	at Main.validate(Main.java:78)
 	at Main.testSHA256withECDSA(Main.java:24)
 	at Main.main(Main.java:10)

Prior to JDK11 Signature Algorithm inside X509Cert validator were initialized without parameters.

JDK-8146293 brings RSASSA-PSS signature support which requires Signature initialization with parameters.

X509Cert validator were updated to initialize signature (any signature) if certificate contains additional algorithm parameters for this signature.

In my understanding it makes sense in case of RSA related (RSASSA-PSS) signature algorithms only. So, there is a proposal to change signature initialization for X509Cert and X509CRL validators to initialize signature with parameters for RSA related signatures (JDK11 logic) and initialize without parameters for other Signature algorithms (JDK8 logic).

Fix request (11u) I'd like to have an approval for a 11u backport of this fix. JDK-11 is affected by this bug. Patch does not apply cleanly but a review has been requested here: http://mail.openjdk.java.net/pipermail/jdk-updates-dev/2019-November/002161.html

We have users reporting this makes 11u deployments problematic due to SSL regressions. Adding relevant Affected Versions.

URL: https://hg.openjdk.java.net/jdk/jdk13/rev/6521aec1c26e User: valeriep Date: 2019-07-11 20:12:18 +0000

Before RSASSA-PSS support is added, i.e. JDK-8146293, all signature parameters are ignored (not set). Thus EC signatures with signature parameters are handled in the same way as ones without signature parameters. After RSASSA-PSS support, non-null signature parameters are passed down to provider impls. This cause the breakage in two ways: 1) the parameter processing code in utility class only recognize RSASSA-PSS parameters 2) SunEC provider only accepts null signature parameters

X9.62 allows algorithm parameters for ECDSA signatures, but RFC5758 https://tools.ietf.org/html/rfc5758 uses null parameters for ECDSA algorithm identifier. In order for the submitted test case to work: 1) Current impl of SignatureUtil can only handle PSS parameter for RSASSA-PSS signatures and needs to be enhanced to handle EC parameters for ECDSA signatures. 2) ECDSA signature impl in SunEC provider should accept non-null EC parameters.

The certificate signature contains ECParameters indicating which curve is used (oid). But the Signature impl from SunEC provider does not take any parameters. There appears to be a disconnect or inconsistency and should be fixed.

The current ECDSA signature impl of SunEC provider does not support setting ECParameter and errors out if non-null parameter is specified. Thus we may have to update SunEC provider as well.

The suggested patch is not entirely correct. For ECDSA, the signature algorithm parameter is the oid for EC curve and should not be ignored/discarded. The SignatureUtil class should be fixed to handle ECDSA signatures when there is parameter present.