Bug ID: JDK-7169833 Need to determine native mech value at runtime

Type: Enhancement
Component: security-libs
Sub-Component: javax.crypto
Affected Version: 8

Priority: P4
Status: Resolved
Resolution: Duplicate
OS: solaris
CPU: generic

Submitted: 2012-05-17
Updated: 2023-11-29
Resolved: 2016-05-11

JDK 9
9Resolved

Solaris libsoftcrypto/ucrypto library added several new mechanisms and as a result, they re-ordered the mechanisms inside enum ucrypto_mech. As a result, 

SHA1withRSA was 34, now it is 37
SHA256withRSA was 35, now it is 39
SHA384withRSA was 36, now it is 40
SHA512withRSA was 37, now it is 41
MD5withRSA was 33, now it's 36. 

This leads to unexpected failures since OracleUcrypto still uses the old native mech values, i.e. uses 34 when java apps requests SHA1withRSA algo.

see JDK-8000415
11-05-2016
This has been covered as part of the SHA-3 enhancement of OracleUcrypto provider work. Will close this as duplicate of JDK-8000415 "Add support for SHA-3".
11-05-2016
Valerie - can you give more information around the solaris bug here. Links to the solaris bug ? Solaris patch numbers that resolve the issue ?
16-09-2014
EVALUATION Lowering to P4 since little impact should be felt with Solaris bug 7172349 is integrated into S11.
19-07-2012
EVALUATION No new regression test needed since it's covered by existing regression tests, i.e. if running against the incompatible Solaris builds, the current regression tests would fail. Thus, adding "noreg-other" keyword accordingly.
30-06-2012
WORK AROUND (Note that s11u1_18 should make these workarounds unnecessary, but you may need to issue 'javaws -clearcache' to clear user cache first) Add 'Signature.SHA1withRSA' into <JDK7_installed_path>/jre/lib/security/ucrypto-solaris.cfg, as in this diff: --- ucrypto-solaris.cfg.orig Fri Jun 15 01:40:06 2012 +++ ucrypto-solaris.cfg Fri Jun 15 01:36:32 2012 @@ -2,6 +2,7 @@ # Configuration file for the OracleUcrypto provider # disabledServices = { + Signature.SHA1withRSA # disabled due to Solaris bug 7121679 Cipher.AES/CFB128/PKCS5Padding Cipher.AES/CFB128/NoPadding
15-06-2012
EVALUATION 7172349 has been integrated into s11u1_18, and it's up to everyone to decide how to best solve this renumbering. Please see the Evaluation of 7172349 for an update.
14-06-2012
EVALUATION Currently, Solaris side has filed a P1 bug 7172349 "libsoftcrypto enum needs to be reverted" for addressing the changes on their side. If they revert the values back, then no impact should be felt even if java side remain as is, i.e. hardcode the values from S11 build 10. For the long run, java side, i.e. OracleUcrypto provider, shall utilize the native API ucrypto_get_mechlist(char*) to query the supported mech and its numerical values. Priority of this bug will be adjusted accordingly depending on the status of the Solaris bug 7172349. For now, I will leave this at P2. Will re-visit this after coming back from vacation, i.e. end of June, and then decide on the appropriate releases for putting back the fixes.
30-05-2012
WORK AROUND Switching to JDK6 is a crude workaround.
26-05-2012
WORK AROUND neither ucrypto or sunpkcs11 provider are capable of SHA1 on solaris/JRE 7 as a result. Another workaround is to modify jre/lib/security/java.security file to alter ordering of security providers : e.g comment out ucrypto line and make sun.security.provider.Sun the #1 provider #security.provider.1=com.oracle.security.ucrypto.UcryptoProvider ${java.home}/lib/security/ucrypto-solaris.cfg security.provider.2=sun.security.pkcs11.SunPKCS11 ${java.home}/lib/security/sunpkcs11-solaris.cfg security.provider.1=sun.security.provider.Sun
26-05-2012

Duplicate :	JDK-8000415 - Add support for SHA-3
Relates :	JDK-7177037 - Cacao JMX client fails with CRYPTO_MECHANISM_INVALID on S11U1 build 17 with java 1.7.0.4