RFR: 8242068: Signed JAR support for RSASSA-PSS and EdDSA [v6]

Weijun Wang weijun at openjdk.java.net
Tue Oct 13 13:34:27 UTC 2020


On Sun, 4 Oct 2020 14:09:26 GMT, Weijun Wang <weijun at openjdk.org> wrote:

>> Changes requested by alanb (Reviewer).
>
> Note: I force pushed a new commit to correct a typo in the summary line.

Add support for [RFC 6211: Cryptographic Message Syntax (CMS) Algorithm Identifier Protection
Attribute](https://tools.ietf.org/html/rfc6211) to protect against algorithm substitution attacks. This attribute is
signed and it contains copies of digestAlgorithm and signatureAlgorithm which are unprotected in SignerInfo. Before
this enhancement, the two algorithms can be implied from the signature itself (i.e. if you change any of them the
signature size would not match or the key will not decrypt). However, with the introduction of RSASSA-PSS, the
signature algorithm can be modified and it still looks like the signature is valid. This particular case is [described
in the RFC](https://tools.ietf.org/html/rfc6211#page-5):

   signatureAlgorithm  has been protected by implication in the past.
      The use of an RSA public key implied that the RSA v1.5 signature
      algorithm was being used.  The hash algorithm and this fact could
      be checked by the internal padding defined.  This is no longer
      true with the addition of the RSA-PSS signature algorithms.

-------------

PR: https://git.openjdk.java.net/jdk/pull/322



More information about the security-dev mailing list