Skip to content
This repository has been archived by the owner on Feb 2, 2023. It is now read-only.
/ jdk13u-dev Public archive

Commit

Permalink
8242184: Default signature algorithm for an RSASSA-PSS key
Browse files Browse the repository at this point in the history
Backport-of: d8539a5
  • Loading branch information
Olga Mikhaltsova authored and Yuri Nesterenko committed May 6, 2021
1 parent d46f297 commit fac6c49
Show file tree
Hide file tree
Showing 4 changed files with 92 additions and 6 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -1099,6 +1099,8 @@ public static String getDefaultSigAlgForKey(PrivateKey k) {
case "RSA":
return ifcFfcStrength(KeyUtil.getKeySize(k))
+ "withRSA";
case "RSASSA-PSS":
return "RSASSA-PSS";
default:
return null;
}
Expand Down
17 changes: 14 additions & 3 deletions src/java.base/share/classes/sun/security/x509/X509CRLImpl.java
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,7 @@
import java.security.cert.X509CRLEntry;
import java.security.cert.CRLException;
import java.security.*;
import java.security.spec.AlgorithmParameterSpec;
import java.util.*;

import javax.security.auth.x500.X500Principal;
Expand Down Expand Up @@ -495,10 +496,20 @@ public void sign(PrivateKey key, String algorithm, String provider)
else
sigEngine = Signature.getInstance(algorithm, provider);

sigEngine.initSign(key);
AlgorithmParameterSpec params = AlgorithmId
.getDefaultAlgorithmParameterSpec(algorithm, key);
try {
SignatureUtil.initSignWithParam(sigEngine, key, params, null);
} catch (InvalidAlgorithmParameterException e) {
throw new SignatureException(e);
}

// in case the name is reset
sigAlgId = AlgorithmId.get(sigEngine.getAlgorithm());
if (params != null) {
sigAlgId = AlgorithmId.get(sigEngine.getParameters());
} else {
// in case the name is reset
sigAlgId = AlgorithmId.get(sigEngine.getAlgorithm());
}
infoSigAlgId = sigAlgId;

DerOutputStream out = new DerOutputStream();
Expand Down
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
* Copyright (c) 1996, 2019, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1996, 2020, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
Expand Down Expand Up @@ -597,11 +597,11 @@ public void sign(PrivateKey key, AlgorithmParameterSpec signingParams,
SignatureUtil.initSignWithParam(sigEngine, key, signingParams,
null);

// in case the name is reset
if (signingParams != null) {
algId = AlgorithmId.get(sigEngine.getParameters());
} else {
algId = AlgorithmId.get(algorithm);
// in case the name is reset
algId = AlgorithmId.get(sigEngine.getAlgorithm());
}
DerOutputStream out = new DerOutputStream();
DerOutputStream tmp = new DerOutputStream();
Expand Down
73 changes: 73 additions & 0 deletions test/jdk/sun/security/tools/keytool/GenerateAll.java
Original file line number Diff line number Diff line change
@@ -0,0 +1,73 @@
/*
* Copyright (c) 2020, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/

/*
* @test
* @bug 8242184
* @summary CRL generation error with RSASSA-PSS
* @library /test/lib
*/

import jdk.test.lib.SecurityTools;
import jdk.test.lib.process.OutputAnalyzer;

public class GenerateAll {

public static void main(String[] args) throws Throwable {

kt("-genkeypair -alias ca -dname CN=CA -keyalg ec");

String[] aliases = {
"rsa", "dsa", "rrr", "rsassa-pss", "ec"};

for (String alias : aliases) {
// "rrr": keyalg is rsa, sigalg is rsassa-pss
// otherwise: keyalg is alias, sigalg auto derived
String keyAlg = alias.equals("rrr") ? "rsa" : alias;
String extra = alias.equals("rrr") ? " -sigalg rsassa-pss" : "";

// gen
kt("-genkeypair -alias " + alias + " -dname CN=" + alias
+ " -keyalg " + keyAlg + extra);

// req
kt("-certreq -alias " + alias + " -file " + alias + ".req");
kt("-printcertreq -file " + alias + ".req");

// gencert
kt("-gencert -alias ca -infile " + alias
+ ".req -outfile " + alias + ".crt");
kt("-printcert -file " + alias + ".crt");

// crl
kt("-gencrl -alias " + alias + " -id 0 -file " + alias + ".crl");
kt("-printcrl -file " + alias + ".crl")
.shouldContain("Verified by " + alias);
}
}

static OutputAnalyzer kt(String arg) throws Exception {
return SecurityTools.keytool("-keystore ks -storepass changeit " + arg)
.shouldHaveExitValue(0);
}
}

1 comment on commit fac6c49

@openjdk-notifier
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please sign in to comment.