Bug ID: JDK-8171491 error with sha224withRSA signature algorithm

Type: Bug
Component: security-libs
Sub-Component: javax.net.ssl
Affected Version: 8u92

Priority: P4
Status: Closed
Resolution: Not an Issue
OS: windows_7
CPU: x86_64

Submitted: 2016-12-16
Updated: 2017-03-20
Resolved: 2016-12-20

FULL PRODUCT VERSION :
java version "1.8.0_92"

ADDITIONAL OS VERSION INFORMATION :
Microsoft Windows [Version 6.1.7601]

A DESCRIPTION OF THE PROBLEM :
My client was accepting a cert with sha224withRSA signature algorithm with java version "1.8.0_91".
When I upgraded to java version "1.8.0_111", I see below error, which got introduced in java version "1.8.0_92".
handling exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Algorithm constraints check failed: SHA224withRSA*


REPRODUCIBILITY :
This bug can be reproduced always.

From submitter: -------------------- The error was found in 8u92 and latter releases(Windows only). Anyway, this has been resolved. I found the actual reason for this in 8u92 release notes, below link gives details: http://www.oracle.com/technetwork/java/javase/8u92-relnotes-2949471.html SHA224 removed from the default support list if SunMSCAPI enabled SunJSSE allows SHA224 as an available signature and hash algorithm for TLS 1.2 connections. However, the current implementation of SunMSCAPI does not yet support SHA224. This can cause problems if SHA224 and SunMSCAPI private keys are used at the same time. To mitigate the problem, we remove SHA224 from the default support list if SunMSCAPI is enabled. See JDK-8064330.

20-12-2016

To submitter: Can you please send out the complete stack trace for the issue mentioned in the bug report. Was the upgrade directly from JDK 8u92 to JDK 8u111 ? Was any such issue observed with JDK 8u101/8u102 ?

20-12-2016