[jdk17u-dev] RFR: 8320597: RSA signature verification fails on signed data that does not encode params correctly
Alexey Bakhtin
abakhtin at openjdk.org
Thu Dec 14 14:05:50 UTC 2023
On Thu, 14 Dec 2023 07:27:43 GMT, Martin Balao <mbalao at openjdk.org> wrote:
>> Backport is not clean because encodeSignature and decodeSignature methods belong to the RSASignature class ( not RSAUtil ).
>> This is the reason for no changes in the RSAUtil class.
>
> src/java.base/share/classes/sun/security/rsa/RSASignature.java line 267:
>
>> 265: DerOutputStream oidout = new DerOutputStream();
>> 266: oidout.putOID(oid);
>> 267: out.write(DerValue.tag_Sequence, oidout);
>
> Can we write these lines in the same way as in the 22 patch? (out.write(DerValue.tag_Sequence, new DerOutputStream().putOID(oid));)
No, we can not. DerOutputStream::putOID() was changed in JDK20 to return itself : [JDK-8294987](https://github.com/openjdk/jdk/commit/823b53d8957ff06b66c35e676c25992e9707afe6#diff-cc247245c29a0ea3516813a4c50ac2b79c0d959c193082a1603c86d1a9dca6e3R319)
It is not backported to JDK17, so putOID returns void
-------------
PR Review Comment: https://git.openjdk.org/jdk17u-dev/pull/2052#discussion_r1426760886
More information about the jdk-updates-dev
mailing list