Bug ID: JDK-8146293 Add support for RSASSA-PSS Signature algorithm

JDK-8146293 : Add support for RSASSA-PSS Signature algorithm

Type: Enhancement
Component: security-libs
Sub-Component: java.security

Priority: P2
Status: Resolved
Resolution: Fixed

Submitted: 2015-12-15
Updated: 2024-05-23
Resolved: 2018-05-21

Versions (Unresolved/Resolved/Fixed)

The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.

JDK 11	JDK 8	Other
11 b15Fixed	8u251Fixed	openjdk8u252Fixed

Related Reports

Blocks :	JDK-8166595 - TLS Support for RSASSA-PSS Signature Algorithms
CSR :	JDK-8190180 - Add support for RSASSA-PSS Signature algorithm
Duplicate :	JDK-8031746 - Check that our SunRsaSign implementation supports PKCS#1 v2.2
Relates :	JDK-8242620 - Cannot serialize RSASSA-PSS keys with non-null params
Relates :	JDK-8285683 - Missing @ since 11 in java.security.spec.MGF1ParameterSpec fields
Relates :	JDK-8216039 - TLS with BC and RSASSA-PSS breaks ECDHServerKeyExchange
Relates :	JDK-8225745 - NoSuchAlgorithmException exception for SHA256withECDSA with RSASSA-PSS support
Relates :	JDK-8072046 - REGRESSION: Difference in behavior between 8u25 and 7u72 when SSL certificates have the RSASSA-PSS signature algorithm
Relates :	JDK-8238448 - RSASSA-PSS signature verification fail when using certain odd key sizes
Relates :	JDK-8145252 - JEP 332: Transport Layer Security (TLS) 1.3
Relates :	JDK-8248981 - Specify list of message digest algorithms for RSASSA-PSS signature
Relates :	JDK-8206171 - Signature#getParameters for RSASSA-PSS throws ProviderException when not initialized
Relates :	JDK-8214096 - sun.security.util.SignatureUtil passes null parameter, so JCE validation fails
Relates :	JDK-8215694 - keytool cannot generate RSASSA-PSS certificates
Relates :	JDK-8242556 - Cannot load RSASSA-PSS public key with non-null params from byte array
Relates :	JDK-8242897 - KeyFactory.generatePublic( x509Spec ) failed with java.security.InvalidKeyException
Relates :	JDK-8242335 - Additional Tests for RSASSA-PSS
Relates :	JDK-8205720 - KeyFactory#getKeySpec and translateKey throws NullPointerException with Invalid key

Sub Tasks

JDK-8229518 :

Release Note: Added Support for PKCS#1 v2.2 Algorithms Including RSASSA-PSS Signature - Closed

Description

Sync JDK API support and algorithm implementations in default JDK providers to PKCS#1 v2.2, e.g. Add support for RSA-PSS signatures as well as the supported RSA PKCS1.5 signatures and ciphers to the list defined in PKCS#2.2.

Comments

URL: http://hg.openjdk.java.net/jdk/jdk/rev/3195a713e24d User: valeriep Date: 2018-05-21 23:43:12 +0000
21-05-2018
Raising to P2 since this is required for TLS 1.3.
15-02-2018
Here is a quick summary of changes covered under this RFE 1) Enhanced SunRsaSign provider with the following algorithms: Signature.SHA512/224withRSA (1.2.840.113549.1.1.14) Signature.SHA512/256withRSA (1.2.840.113549.1.1.15) Signature.RSA-PSS (1.2.840.113549.1.1.10) Signature.SHA1withRSAandMGF1 Signature.SHA224withRSAandMGF1 Signature.SHA256withRSAandMGF1 Signature.SHA384withRSAandMGF1 Signature.SHA512withRSAandMGF1 Signature.SHA512/224withRSAandMGF1 Signature.SHA512/256withRSAandMGF1 AlgorithmParameters.RSA-PSS 2) Update the public RSA-related parameter spec classes to v2.2 (CSR proposed) 3) Enhance the OAEP parameter SunJCE provider with SHA-512/224 and SHA-512/224 support (new in v2.2)
28-10-2017
For archive purpose, here is the original description ===================================================== Within PKCS 1 standard there are 2 signature schemes defined: PKCS #1 and PSS. Consider adding support for PSS in JDK. The original webbug was about a TLS issue. TLS versions through 1.2 do not support PSS, see my comment from 9/14/2016. However 1.3 under development might. However some certificates (e.g. Microsoft) do use PSS and we do not interoperate. For historical purposes, the original webbug text follows: A DESCRIPTION OF THE REQUEST : I noticed that in the OpenJDK version of AlgorithmId.java there is no mentioned of this particular algorithm. As a results if a ServerCertificate has a RSASSA-PSS based signature then the AlgorithmConstraints check fails. Is there a plan to add this algorithm to the supported list in AlgorithmId? JUSTIFICATION : Our product requires fetching a Web Server certificate for itself from a Microsoft CA. Microsoft CA can issue a Server certificate based on RSASSA-PSS. However once we bind this certificate to our product and make a REST call to the product we get the following error msg - " java.security.cert.CertificateException: Certificates does not conform to algorithm constraints at sun.security.ssl.AbstractTrustManagerWrapper.checkAlgorithmConstraints(SSLContextImpl.java:998) at sun.security.ssl.AbstractTrustManagerWrapper.checkAdditionalTrust(SSLContextImpl.java:924) at sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(SSLContextImpl.java:866) " EXPECTED VERSUS ACTUAL BEHAVIOR : EXPECTED - This Signature algorithm should be allowed. A REST call to a server using an RSASSA-PSS signature for its default certificate should be allowed. ACTUAL - java.security.cert.CertificateException: Certificates does not conform to algorithm constraints at sun.security.ssl.AbstractTrustManagerWrapper.checkAlgorithmConstraints(SSLContextImpl.java:998) at sun.security.ssl.AbstractTrustManagerWrapper.checkAdditionalTrust(SSLContextImpl.java:924) at sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(SSLContextImpl.java:866) =====================================================
28-10-2017
Although RSA-PSS mechanism is listed in PKCS#11 mechanism list. Solaris does not seem to support it even in its upcoming release S11.4. So, SunPKCS11 provider may not be enhanced with this RSA-PSS signature support unless we have a PKCS11 library to test against. (NSS doc mentioned support for RSA-PSS in its 3.22 release)
13-10-2017
This RFE covers SunRsaSign provider for its RSA-PSS support. SunPKCS11 provider and SunMSCAPI provider will be handled separately afterwards.
13-10-2017
Bernd Eckenfels(ecki@zusammenkunft.net, http://bernd.eckenfels.net) post in OpenJDK (http://mail.openjdk.java.net/pipermail/security-dev/2017-June/015967.html): ------------------------------------------------------------------------------------------------- Are there any plans to support RSA PSS as a Signature algorithm? https://bugs.openjdk.java.net/browse/JDK-8146293 In the german energy market RSA PSS is used for signing messages, and authorities demand to use it also for certificate signatures (RFC 4055) starting with 2018. This is somewhat paranoid but hey, it's a field requirement. At the moment BouncyCastle can be used as a Signature provider and if also used to create X509Certificate objects it can even verify the Signature. BTW: when the BC provider is registered the JDK X509Certificate.verify() finds the RSA PSS OID and uses the BC implementation, however the verification fails for non-Standard parameters (which is not uncommon since people try to avoid SHA1 in MFG1j as it does not parse and set the aproperiate parameters. I wonder if the modularity of X509Certificate could be enhanced to allow that? Having an option to extract ParameterSpec from a random signature block would certainly be a nice feature (similar to looking up the algorithm itself by OID) BTW there was some discussion on PKCS#11 supporting it - I think the Athena PKCS11 lib with their JCOS based IDProtect tokens supports RSAPSS as an mechanism. But I guess that are three different topic, JCE Signature, X509CertExtension and PKCS11 mechanism.
09-06-2017
TLS 1.3 will use RSASSA-PSS signature. See also RFC 4055 for its use in X.509 certificate and CRL.
09-06-2017
Nor does Ucrypto library in S11.4. So, for sure OracleUcrypto provider will not have RSA-PSS Signature support.
02-03-2017
The TLS protocol doesn't currently support PSS: RFC 5246: 7.4.2. Server Certificate ...deleted... Note that there are certificates that use algorithms and/or algorithm combinations that cannot be currently used with TLS. For example, a certificate with RSASSA-PSS signature key (id-RSASSA-PSS OID in SubjectPublicKeyInfo) cannot be used because TLS defines no corresponding signature algorithm. ...deleted... However it might be useful to have general (non-TLS) PSS support.
14-09-2016
Need more information to evaluate, as it is not clear if RSASSA-PSS is causing this. The failure indicates that one of the certificates in the server's chain is not compliant with the algorithm or keysizes listed in the jdk.certpath.disabledAlgorithms security property, which in JDK 9, is set to: jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024 Please enable certpath debugging (java -Djava.security.debug=certpath) and attach the log file, and/or attach the server's certificate chain to the bug report.
04-01-2016