8242068: Signed JAR support for RSASSA-PSS and EdDSA #322
Conversation
|
👋 Welcome back weijun! A progress list of the required criteria for merging this PR into |
|
@wangweij The following labels will be automatically applied to this pull request: When this pull request is ready to be reviewed, an RFR email will be sent to the corresponding mailing lists. If you would like to change these labels, use the |
openjdk
bot
added
security
Webrevs
|
|
@wangweij this pull request can not be integrated into git checkout 8242068
git fetch https://git.openjdk.java.net/jdk master
git merge FETCH_HEAD
# resolve conflicts and follow the instructions given by git merge
git commit -m "Merge master"
git push |
openjdk
bot
added
the
merge-conflict
openjdk
bot
removed
the
merge-conflict
|
Note: I force pushed a new commit to correct a typo in the summary line. |
|
/csr |
|
/label remove core-libs |
|
@wangweij this pull request will not be integrated until the CSR request JDK-8245274 for issue JDK-8242068 has been approved. |
|
@wangweij |
|
Add support for RFC 6211: Cryptographic Message Syntax (CMS) Algorithm Identifier Protection Attribute to protect against algorithm substitution attacks. This attribute is signed and it contains copies of digestAlgorithm and signatureAlgorithm which are unprotected in SignerInfo. Before this enhancement, the two algorithms can be implied from the signature itself (i.e. if you change any of them the signature size would not match or the key will not decrypt). However, with the introduction of RSASSA-PSS, the signature algorithm can be modified and it still looks like the signature is valid. This particular case is described in the RFC: |
|
A force push to fix the RFC number typo in the latest commit. No content update. |
src/java.base/share/classes/sun/security/util/SignatureUtil.java
Outdated
Show resolved
Hide resolved
src/java.base/share/classes/sun/security/util/SignatureUtil.java
Outdated
Show resolved
Hide resolved
src/java.base/share/classes/sun/security/util/SignatureUtil.java
Outdated
Show resolved
Hide resolved
| * @param params (optional) parameters | ||
| * @return an AlgorithmParameterSpec object | ||
| * @throws ProviderException | ||
| */ |
There was a problem hiding this comment.
Well, I am a bit unsure about your changes to this method. With your change, it returns default parameter spec (instead of null) when the specified AlgorithmParameters object is null. This may not be desirable for all cases? Existing callers would have to check for (params != null) before calling this method. The javadoc description also seems a bit strange with the to-be-converted AlgorithmParameters object being optional. Maybe add a separate method like getParamSpecWithDefault on top of this method or add a separate boolean argument useDefault?
There was a problem hiding this comment.
I cannot remember why I need to return a default. The only default we current have is for RSASSA-PSS, and in all RSASSA-PSS AlgorithmId for signature I see there is always the params. (When it's for a key the params can be missing). All 3 callers of this method is on a signature AlgorithmId so the params should not be null. I'll remove the default return value and do more testing.
There was a problem hiding this comment.
Sounds good. RSASSA-PSS sig algorithm id always have params, it's required.
src/java.base/share/classes/sun/security/util/SignatureUtil.java
Outdated
Show resolved
Hide resolved
src/java.base/share/classes/sun/security/util/SignatureUtil.java
Outdated
Show resolved
Hide resolved
src/java.base/share/classes/sun/security/util/SignatureUtil.java
Outdated
Show resolved
Hide resolved
src/java.base/share/classes/sun/security/util/SignatureUtil.java
Outdated
Show resolved
Hide resolved
src/java.base/share/classes/sun/security/util/SignatureUtil.java
Outdated
Show resolved
Hide resolved
src/java.base/share/classes/sun/security/util/SignatureUtil.java
Outdated
Show resolved
Hide resolved
src/java.base/share/classes/sun/security/util/SignatureUtil.java
Outdated
Show resolved
Hide resolved
src/java.base/share/classes/sun/security/util/SignatureUtil.java
Outdated
Show resolved
Hide resolved
src/java.base/share/classes/sun/security/util/SignatureUtil.java
Outdated
Show resolved
Hide resolved
| * Determines the digestEncryptionAlgorithmId in PKCS& SignerInfo. | ||
| * | ||
| * @param signer Signature object that tells you RSASA-PSS params | ||
| * @param sigalg Signature algorithm tells you who with who |
There was a problem hiding this comment.
Maybe I was thinking about SHA1withRSA, but here it can be the new algorithms. Just remove the confusing words.
|
/label remove compiler |
|
this one has nothing to do with javac so the |
|
@vicente-romero-oracle |
@vicente-romero-oracle Sorry for the noise, I should have removed it earlier. All files in the |
| contentInfo = new ContentInfo(derin, oldStyle); | ||
| contentType = contentInfo.contentType; | ||
| DerValue content = contentInfo.getContent(); | ||
| ContentInfo block = new ContentInfo(derin, oldStyle); |
There was a problem hiding this comment.
With this change, i.e. using a local variable instead of setting the field 'contentInfo', the 'contentInfo' field seems to left unset when contentType equals to ContentInfo.NETSCAPE_CERT_SEQUENCE_OID?
There was a problem hiding this comment.
I'll see what the best code is, but I don't like the way contentInfo is assigned twice, once as the whole block and once as the content inside. I'd rather add a contentInfo = block in its else if block.
There was a problem hiding this comment.
Right, I also dislike the double assignment. Just making sure that contentInfo is set somewhere.
| digAlgID.derEncode(derAlgs); | ||
| DerOutputStream derSigAlg = new DerOutputStream(); | ||
| sigAlgID.derEncode(derSigAlg); | ||
| derAlgs.writeImplicit((byte)0xA1, derSigAlg); |
There was a problem hiding this comment.
Are you sure that this context specific tag value is implicit? In RFC 6211, some other ASN.1 definition uses IMPLICIT keyword after the [x] which seems to suggest that the default is explicit unless specified. Besides, the layman's guide sec2.3 also states "The keyword [class number] alone is the same as explicit tagging, except when the "module" in which the ASN.1 type is defined has implicit tagging by default." So, it seems that explicit tagging should be the default?
There was a problem hiding this comment.
In the formal definition at https://tools.ietf.org/html/rfc6211#appendix-A, you can see DEFINITIONS IMPLICIT TAGS covers from BEGIN to END. Those explicit IMPLICIT tags you see are CMS ASN.1 definitions, and it looks in its own RFC at https://tools.ietf.org/html/rfc5652#section-12, IMPLICIT and EXPLICIT are always written out.
I can confirm both OpenSSL and BC use IMPLICIT.
There was a problem hiding this comment.
Ah, I see. There is a line about implicit tags as you pointed out. Good~
| } | ||
| return encAlg; | ||
| default: | ||
| String digAlg = digAlgId.getName().replace("-", ""); |
There was a problem hiding this comment.
This may be incorrect if the digest algorithm is in the SHA3 family. Maybe we should check and apply this conversion only when digest algorithm starts with "SHA-".
There was a problem hiding this comment.
Good suggestion. I'll also try some tests.
There was a problem hiding this comment.
In fact, since now I directly write the signature algorithm into the SignerInfo.digestEncryptionAlgorithmId field, the code above is not used at all. The makeSigAlg method directly returns the encAlgId argument if it has "with" inside.
I'll fix it anyway. I've confirmed that if I still write only the key algorithm there (Ex: "EC") then the verification process will see a problem without your suggested change.
src/jdk.jartool/share/classes/jdk/security/jarsigner/JarSigner.java
Outdated
Show resolved
Hide resolved
| @@ -125,7 +125,9 @@ public static void main(String[] args) throws Exception { | |||
| iae(()->b1.setProperty("internalsf", "Hello")); | |||
| npe(()->b1.setProperty("sectionsonly", null)); | |||
| iae(()->b1.setProperty("sectionsonly", "OK")); | |||
| npe(()->b1.setProperty("altsigner", null)); | |||
There was a problem hiding this comment.
Is 'altsigner' support removed? But I saw it being used in later part of this test. The javadoc for JarSigner.Builder only lists a subset of above properties. Are those not in javadoc internal and can be removed any time, just curious? Nit: maybe add 8242068 to @bug line for existing regression tests?
There was a problem hiding this comment.
It's deprecated. I remember we are already thinking about deprecating the altSign mechanism when creating the JarSigner API and therefore we didn't add them to the spec from the beginning.
Bug id added.
| @@ -221,8 +218,7 @@ private TsaParam parseRequestParam() throws Exception { | |||
| SignerInfo signerInfo = new SignerInfo( | |||
| new X500Name(issuerName), | |||
| signerEntry.cert.getSerialNumber(), | |||
| AlgorithmId.get( | |||
| AlgorithmId.getDigAlgFromSigAlg(sigAlgo)), | |||
| AlgorithmId.get(SignatureUtil.extractDigestAlgFromDwithE(sigAlgo)), | |||
There was a problem hiding this comment.
So, sigAlgo would never be RSASSA-PSS, EDDSA, ED25519, or ED448?
There was a problem hiding this comment.
There were no getDigestAlgInPkcs7SignerInfo in my initial version. I'll use this new method instead. I'll probably need to try if the new algorithms really work here.
|
@wangweij This change now passes all automated pre-integration checks. ℹ️ This project also has non-automated pre-integration requirements. Please see the file CONTRIBUTING.md for details. After integration, the commit message for the final commit will be: You can use pull request commands such as /summary, /contributor and /issue to adjust it as needed. At the time when this comment was updated there had been 291 new commits pushed to the
As there are no conflicts, your changes will automatically be rebased on top of these commits when integrating. If you prefer to avoid this automatic rebasing, please check the documentation for the /integrate command for further details. ➡️ To integrate this PR with the above commit message to the |
|
/integrate |
openjdk
bot
added
integrated
|
@wangweij Since your change was applied there have been 300 commits pushed to the
Your commit was automatically rebased without conflicts. Pushed as commit 839f01d. 💡 You may see a message that your pull request was closed with unmerged commits. This can be safely ignored. |
Major points in CSR at https://bugs.openjdk.java.net/browse/JDK-8245274:
new sigalg "RSASSA-PSS", "EdDSA", "Ed25519" and "Ed448" can be used in jarsigner
The ".RSA" and ".EC" block extension types (PKCS null initial cache in ClassValueMap #7 SignedData inside a signed JAR) are reused for new signature algorithms
A new JarSigner property "directsign"
Updating the jarsigner tool doc
Major code changes:
Always use the signature algorithm directly as SignerInfo::signatureAlgorithm. We used to use the encryption algorithm there like RSA, DSA, and EC. Now it's always SHA1withRSA or RSASSA-PSS.
Move signature related utilities methods from AlgorithmId.java to SignatureUtil.java
Add new SignatureUtil methods fromKey() and fromSignature() to simplify creating Signature and getting its AlgorithmId
Use the new methods in PKCS10, X509CertImpl, and X509CRLImpl signing
Add a new (and intuitive, IMHO) PKCS7::generateNewSignedData capable of all old and new signature algorithms
Mark all -altsign related code deprecated and they can be removed once ContentSigner is removed
Progress
Testing
Issue
Reviewers
Download
$ git fetch https://git.openjdk.java.net/jdk pull/322/head:pull/322$ git checkout pull/322