JDK-8230420 : digestEncryptionAlgorithm in SignerInfo isn't using full signature algorithm for EC
  • Type: Bug
  • Component: security-libs
  • Sub-Component: java.security
  • Affected Version: 7
  • Priority: P4
  • Status: Closed
  • Resolution: Duplicate
  • Submitted: 2019-09-02
  • Updated: 2022-12-15
  • Resolved: 2020-11-09
Related Reports
Duplicate :  
Back in PKCS #7 1.5 (https://tools.ietf.org/html/rfc2315#section-9.2), this field contains a digestAlgorithm and a digestEncryptionAlgorithm, and we use SHA-1 and RSA.

Then in CMS (https://tools.ietf.org/html/rfc2630#section-5.3), the 2nd field is renamed to signatureAlgorithm although https://tools.ietf.org/html/rfc2630#section-12.2.2 still claims RSA is a signature algorithm (Attention: not SHA1withRSA).

Then in the ECC CMS (https://tools.ietf.org/html/rfc5753#section-2.1.1), “signatureAlgorithm contains the signature algorithm identifier (see Section 7.1.3): ecdsa-with-SHA1,…” (i.e. SHA1withECDSA). However, Java is still using only the key algorithm EC as digestEncryptionAlgorithm (we never renamed the field).
Since JDK-8242068 we will use the signature algorithm when generating a new signed JAR. The old "EC" encryption algorithm is still recognized.

However, it looks like openssl also support the Java style. It is able to verify a signed jar file: keytool -genkeypair -alias a -dname CN=A -storepass changeit -keyalg ec -keystore ks jar cvf a.jar ks jarsigner -keystore ks -storepass changeit a.jar a unzip a.jar cd META-INF/ openssl cms -in A.EC -verify -inform DER -noverify -content A.SF

This can be demonstrated by looking at the block file in a signed JAR file where the field is rsaEncryption for RSA and id-ecPublicKey for EC. On the other hand, the output of `openssl cms` shows rsaEncryption and ecdsa-with-SHA256 respectively.