Bug ID: JDK-8225745 NoSuchAlgorithmException exception for SHA256withECDSA with RSASSA-PSS support

JDK-8225745 : NoSuchAlgorithmException exception for SHA256withECDSA with RSASSA-PSS support

Type: Bug
Component: security-libs
Sub-Component: java.security
Affected Version: 11,13

Priority: P3
Status: Closed
Resolution: Fixed
OS: generic
CPU: generic

Submitted: 2019-06-13
Updated: 2023-11-29
Resolved: 2019-07-11

Versions (Unresolved/Resolved/Fixed)

The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.

JDK 11	JDK 13	JDK 14	JDK 8	Other
11.0.11-oracleFixed	13 b30Fixed	14Fixed	8u251Fixed	openjdk8u252Fixed

Related Reports

Relates :	JDK-8146293 - Add support for RSASSA-PSS Signature algorithm
Relates :	JDK-8288728 - Support for signature SHA256withECDSA for intermediate certificates.
Relates :	JDK-8286908 - ECDSA signature should not return parameters

Description

Submitting this issue on behalf of Alexey Bakhtin (alexey@azul.com)

The test is in attachments.

When running with 8, the test completed successfully.

$ $JAVA_HOME/bin/java Main
$ Successfully validated certificate chain using Signature Algorithm: SHA256withECDSA

When running with 11 (and above), the test throws CertPathValidatorException exception caused by CertificateException: Unrecognized algorithm for signature parameters SHA256withECDSA

$JAVA_HOME/bin/java Main
java.security.cert.CertPathValidatorException: signature check failed
 	at java.base/sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:135)
 	at java.base/sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:237)
 	at java.base/sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:145)
 	at java.base/sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:84)
 	at java.base/java.security.cert.CertPathValidator.validate(CertPathValidator.java:309)
 	at Main.validate(Main.java:74)
       at Main.testSHA256withECDSA(Main.java:24)
 	at Main.main(Main.java:10) 
Caused by: java.security.cert.CertificateException: Unrecognized algorithm for signature parameters SHA256withECDSA 	at java.base/sun.security.x509.X509CertImpl.verify(X509CertImpl.java:436) 
	at java.base/sun.security.provider.certpath.BasicChecker.verifySignature(BasicChecker.java:166) 
	at java.base/sun.security.provider.certpath.BasicChecker.check(BasicChecker.java:147) 
	at java.base/sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:125) 	... 7 more
Exception in thread "main" java.lang.RuntimeException
 	at Main.validate(Main.java:78)
 	at Main.testSHA256withECDSA(Main.java:24)
 	at Main.main(Main.java:10)

Prior to JDK11 Signature Algorithm inside X509Cert validator were initialized without parameters.

JDK-8146293 brings RSASSA-PSS signature support which requires Signature initialization with parameters.

X509Cert validator were updated to initialize signature (any signature) if certificate contains additional algorithm parameters for this signature.

In my understanding it makes sense in case of RSA related (RSASSA-PSS) signature algorithms only. So, there is a proposal to change signature initialization for X509Cert and X509CRL validators to initialize signature with parameters for RSA related signatures (JDK11 logic) and initialize without parameters for other Signature algorithms (JDK8 logic).

Webrev:
http://cr.openjdk.java.net/~dcherepanov/misc/SignatureUtil/webrev/

Comments

Fix request (11u) I'd like to have an approval for a 11u backport of this fix. JDK-11 is affected by this bug. Patch does not apply cleanly but a review has been requested here: http://mail.openjdk.java.net/pipermail/jdk-updates-dev/2019-November/002161.html
21-11-2019
We have users reporting this makes 11u deployments problematic due to SSL regressions. Adding relevant Affected Versions.
11-10-2019
URL: https://hg.openjdk.java.net/jdk/jdk13/rev/6521aec1c26e User: valeriep Date: 2019-07-11 20:12:18 +0000
11-07-2019
Before RSASSA-PSS support is added, i.e. JDK-8146293, all signature parameters are ignored (not set). Thus EC signatures with signature parameters are handled in the same way as ones without signature parameters. After RSASSA-PSS support, non-null signature parameters are passed down to provider impls. This cause the breakage in two ways: 1) the parameter processing code in utility class only recognize RSASSA-PSS parameters 2) SunEC provider only accepts null signature parameters
10-07-2019
X9.62 allows algorithm parameters for ECDSA signatures, but RFC5758 https://tools.ietf.org/html/rfc5758 uses null parameters for ECDSA algorithm identifier. In order for the submitted test case to work: 1) Current impl of SignatureUtil can only handle PSS parameter for RSASSA-PSS signatures and needs to be enhanced to handle EC parameters for ECDSA signatures. 2) ECDSA signature impl in SunEC provider should accept non-null EC parameters.
03-07-2019
The certificate signature contains ECParameters indicating which curve is used (oid). But the Signature impl from SunEC provider does not take any parameters. There appears to be a disconnect or inconsistency and should be fixed.
28-06-2019
The current ECDSA signature impl of SunEC provider does not support setting ECParameter and errors out if non-null parameter is specified. Thus we may have to update SunEC provider as well.
26-06-2019
The suggested patch is not entirely correct. For ECDSA, the signature algorithm parameter is the oid for EC curve and should not be ignored/discarded. The SignatureUtil class should be fixed to handle ECDSA signatures when there is parameter present.
21-06-2019