8274471: Add support for RSASSA-PSS in OCSP Response

[apavlyutkin]

Hi!

Here is backport of JDK-8274471 adding support of RSASSA-PSS signature to OCSP Response. Original patch applied with the following changes

src/java.base/share/classes/sun/security/provider/certpath/OCSP.java

• import of java.security.cert.TrustAnchor and sun.security.validator.Validator packages didn't removed cuz they are still in use;
• added import of java.nio.charset.StandardCharsets.UTF_8 promoting UTF_8 constant;
• the changes to revocation checking were skipped

src/java.base/share/classes/sun/security/util/SignatureUtil.java

• added import sun.security.x509.AlgorithmId package;
• the following required methods ported

    public static Signature fromKey(String sigAlg, PrivateKey key, String provider);
    public static Signature fromKey(String sigAlg, PrivateKey key, Provider provider);
    private static Signature autoInitInternal(String alg, PrivateKey key, Signature s);
    public static AlgorithmId fromSignature(Signature sigEngine, PrivateKey key);

• EdEC related code dropped
• SignatureUtil.autoInitInternal() method updated to use AlgorithmId.getDefaultAlgorithmParameterSpec() instead of almost identical SignatureUtil.getDefaultParamSpec()

src/java.base/share/classes/sun/security/x509/AlgorithmId.java

• public byte[] getEncodedParams() does not throw anymore

test/jdk/java/security/testlibrary/CertificateBuilder.java
test/jdk/java/security/testlibrary/SimpleOCSPServer.java

• added import of sun.security.util.SignatureUtil package

Verification/regression (amd64/LTS 20.04): jdk_security including updated tests

---

Progress

• Change must be properly reviewed (1 review required, with at least 1 Reviewer)
• Change must not contain extraneous whitespace
• Commit message must refer to an issue

Issue

• JDK-8274471: Add support for RSASSA-PSS in OCSP Response

Reviewers

• Paul Hohensee (@phohensee - Reviewer)

Reviewing

Using git

Checkout this PR locally:
$ git fetch https://git.openjdk.org/jdk11u-dev.git pull/1891/head:pull/1891
$ git checkout pull/1891

Update a local copy of the PR:
$ git checkout pull/1891
$ git pull https://git.openjdk.org/jdk11u-dev.git pull/1891/head

Using Skara CLI tools

Checkout this PR locally:
$ git pr checkout 1891

View PR using the GUI difftool:
$ git pr show -t 1891

Using diff file

Download this PR as a diff file:
https://git.openjdk.org/jdk11u-dev/pull/1891.diff

Webrev

Link to Webrev Comment

[bridgekeeper]

👋 Welcome back apavlyutkin! A progress list of the required criteria for merging this PR into pr/847 will be added to the body of your pull request. There are additional pull request commands available for use with this pull request.

[openjdk]

This backport pull request has now been updated with issue from the original commit.

[mlbridge]

Webrevs

• 01: Full - Incremental (443b9b3a)
• 00: Full (b56e8df3)

[phohensee]

I'm not an expert in this area, but the backport looks good, including the addition of a big chunk of code in SignatureUtil.java from JDK-8242068, which latter is huge and would anyway require a spec change.

[apavlyutkin]

Actually I'm not sure about EdDSA related delta, it's does not seem necessary for RSASSA-PSS support, and moreover original patch does not have these changes

openjdk/jdk@f63c4a8#diff-0393704a5343769f4ef9fa23b6fe9107d0ff96c17c078c30a05ef3be6c7d2304

but for some reason Git transfers them on cherry-pick. I could eliminate unnecesssary code, but I'm not sure if it's better to make more manual changes

[phohensee]

If it works without the EdDSA code, then don't include the latter.

[openjdk-notifier]

The parent pull request that this pull request depends on has been closed without being integrated and the target branch of this pull request has been updated as the previous branch was deleted. This means that changes from the parent pull request will start to show up in this pull request. If closing the parent pull request was done in error, it will need to be re-opened and this pull request will need to manually be retargeted again.

[openjdk]

@apavlyutkin This change now passes all automated pre-integration checks.

After integration, the commit message for the final commit will be:

8274471: Add support for RSASSA-PSS in OCSP Response

Reviewed-by: phh

You can use pull request commands such as /summary, /contributor and /issue to adjust it as needed.

At the time when this comment was updated there had been 18 new commits pushed to the master branch:

• b2faa35: 8309108: Bump update version for OpenJDK: jdk-11.0.21
• 1000b1c: 8308884: [17u/11u] Backout JDK-8297951
• 3613ae4: 8287876: The recently de-problemlisted TestTitledBorderLeak test is unstable
• 398753e: 8269746: C2: assert(!in->is_CFG()) failed: CFG Node with no controlling input?
• 9eded68: 8246383: NullPointerException in JceSecurity.getVerificationResult when using Entrust provider
• 1cbdcc9: 8300079: SIGSEGV in LibraryCallKit::inline_string_copy due to constant NULL src argument
• b3d6981: 8299259: C2: Div/Mod nodes without zero check could be split through iv phi of loop resulting in SIGFPE
• 8a0b64b: 8307134: Add GTS root CAs
• 5401f12: 8287007: [cgroups] Consistently use stringStream throughout parsing code
• 5c4e744: 8301119: Support for GB18030-2022
• ... and 8 more: https://git.openjdk.org/jdk11u-dev/compare/31396660db3eae3977bbbf8b978b581dfd941d2d...master

As there are no conflicts, your changes will automatically be rebased on top of these commits when integrating. If you prefer to avoid this automatic rebasing, please check the documentation for the /integrate command for further details.

As you do not have Committer status in this project an existing Committer must agree to sponsor your change. Possible candidates are the reviewers of this PR (@phohensee) but any other Committer may sponsor as well.

➡️ To flag this PR as ready for integration with the above commit message, type /integrate in a new comment. (Afterwards, your sponsor types /sponsor in a new comment to perform the integration).

[openjdk]

⚠️ @apavlyutkin This pull request contains merges that bring in commits not present in the target repository. Since this is not a "merge style" pull request, these changes will be squashed when this pull request in integrated. If this is your intention, then please ignore this message. If you want to preserve the commit structure, you must change the title of this pull request to Merge <project>:<branch> where <project> is the name of another project in the OpenJDK organization (for example Merge jdk:master).

[apavlyutkin]

#1918 raised to replace this one