RFR[13] JDK-8225745: NoSuchAlgorithmException exception for SHA256withECDSA with RSASSA-PSS support

Valerie Peng valerie.peng at oracle.com
Wed Jul 10 04:12:22 UTC 2019


http://cr.openjdk.java.net/~valeriep/8225745/webrev.02/

On 7/9/2019 8:02 PM, Valerie Peng wrote:
> Hmm, not sure why ECUtil discards the exception and returns null...
>
> I plan to add a check inside SignatureUtil to check for null and error 
> out to make the EC case consistent with others. Rerunning mach5 now to 
> double check.
>
> Thanks for noticing this.
> Valerie
> On 7/8/2019 7:45 PM, Weijun Wang wrote:
>> SignatureUtil::getParamSpec(String,byte[]):
>>
>>   126                     paramSpec = ECUtil.getECParameterSpec(p, 
>> paramBytes);
>>
>> ECUtil.getECParameterSpec() could return null when 
>> "parameters.getParameterSpec(ECParameterSpec.class)" throws an 
>> InvalidParameterSpecException. So the behavior is now different from 
>> the other getParamSpec(String,AlgorithmParameters) method where the 
>> exception is wrapped into a ProviderException. Does this matter?
>>
>> Thanks,
>> Max
>>
>>
>>> On Jul 9, 2019, at 8:09 AM, Valerie Peng <valerie.peng at oracle.com> 
>>> wrote:
>>>
>>>
>>> Here is the updated webrev w/ ECUtil.equals() utility method:
>>>
>>> http://cr.openjdk.java.net/~valeriep/8225745/webrev.01/
>>>
>>> Regards,
>>> Valerie
>>> On 7/8/2019 12:12 PM, Valerie Peng wrote:
>>>> Right, based on the current impl, a simple "==" seems to work as 
>>>> it's the same NamedCurve instance inside CurveDB. Well, I could 
>>>> also do a bit of code refactoring and add an equals utility method 
>>>> to ECUtil so this may work better with 3rd party provider's impl.
>>>>
>>>> Thanks,
>>>> Valerie
>>>> On 7/2/2019 8:27 PM, Weijun Wang wrote:
>>>>>    368     private static boolean isCompatible(ECParameterSpec 
>>>>> sigParams,
>>>>>    369             ECParameterSpec keyParams) {
>>>>>    370         if (sigParams == null) {
>>>>>    371             // no restriction on key param
>>>>>    372             return true;
>>>>>    373         }
>>>>>    374         return sigParams.equals(keyParams);
>>>>>    375     }
>>>>>
>>>>> What does "sigParams.equals(keyParams)" mean here? What is the 
>>>>> getClass() of those 2 ECParameterSpec objects?
>>>>>
>>>>> Or maybe you mean "==" because it is always a NamedCurve stored in 
>>>>> CurveDB?
>>>>>
>>>>> Thanks,
>>>>> Max
>>>>>
>>>>>> On Jul 3, 2019, at 10:48 AM, Valerie Peng 
>>>>>> <valerie.peng at oracle.com> wrote:
>>>>>>
>>>>>> Hi
>>>>>>
>>>>>> Any one can help reviewing this fix? Some ECDSA certificates 
>>>>>> contains signature algorithm identifiers with non-null parameter 
>>>>>> bytes. Before RSASSA-PSS support, these parameter bytes are 
>>>>>> ignored, however, after RSASSA-PSS support, the parameter bytes 
>>>>>> are passed to the underlying signature impl and this breaks the 
>>>>>> ECDSA certificate verification. In order for the verification to 
>>>>>> succeeds, the SignatureUtil class needs to be able to parse the 
>>>>>> parameter bytes for ECDSA certificate and that SunEC provider 
>>>>>> needs to accept non-null signature parameters.
>>>>>>
>>>>>> Bug: https://bugs.openjdk.java.net/browse/JDK-8225745
>>>>>> Webrev: http://cr.openjdk.java.net/~valeriep/8225745/webrev.00/
>>>>>>
>>>>>> Mach5 run is clean.
>>>>>>
>>>>>> Thanks,
>>>>>> Valerie


More information about the security-dev mailing list