8216039: TLS with BC and RSASSA-PSS breaks ECDHServerKeyExchange

Add internal Signature init methods to select provider based on both key and parameter Reviewed-by: xuelei
2025-08-27 14:54:52 +02:00 · 2019-04-10 02:35:18 +00:00 · 2019-04-10 02:35:18 +00:00 · 3b6b6b3cb3
commit 3b6b6b3cb3
parent eebe346715
15 changed files with 723 additions and 177 deletions
--- a/src/java.base/share/classes/java/security/SignatureSpi.java
+++ b/src/java.base/share/classes/java/security/SignatureSpi.java
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2018, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2019, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@ -70,6 +70,33 @@ public abstract class SignatureSpi {
    protected abstract void engineInitVerify(PublicKey publicKey)
        throws InvalidKeyException;

+    /**
+     * Initializes this signature object with the specified
+     * public key for verification operations.
+     *
+     * @param publicKey the public key of the identity whose signature is
+     * going to be verified.
+     * @param params the parameters for generating this signature
+     *
+     * @exception InvalidKeyException if the key is improperly
+     * encoded, does not work with the given parameters, and so on.
+     * @exception InvalidAlgorithmParameterException if the given parameters
+     * is invalid.
+     */
+    void engineInitVerify(PublicKey publicKey,
+            AlgorithmParameterSpec params)
+            throws InvalidKeyException, InvalidAlgorithmParameterException {
+        if (params != null) {
+            try {
+                engineSetParameter(params);
+            } catch (UnsupportedOperationException usoe) {
+                // error out if not overrridden
+                throw new InvalidAlgorithmParameterException(usoe);
+            }
+        }
+        engineInitVerify(publicKey);
+    }
+
    /**
     * Initializes this signature object with the specified
     * private key for signing operations.
@ -98,10 +125,41 @@ public abstract class SignatureSpi {
     * encoded, parameters are missing, and so on.
     */
    protected void engineInitSign(PrivateKey privateKey,
-                                  SecureRandom random)
-        throws InvalidKeyException {
-            this.appRandom = random;
-            engineInitSign(privateKey);
+            SecureRandom random)
+            throws InvalidKeyException {
+        this.appRandom = random;
+        engineInitSign(privateKey);
+    }
+
+    /**
+     * Initializes this signature object with the specified
+     * private key and source of randomness for signing operations.
+     *
+     * <p>This concrete method has been added to this previously-defined
+     * abstract class. (For backwards compatibility, it cannot be abstract.)
+     *
+     * @param privateKey the private key of the identity whose signature
+     * will be generated.
+     * @param params the parameters for generating this signature
+     * @param random the source of randomness
+     *
+     * @exception InvalidKeyException if the key is improperly
+     * encoded, parameters are missing, and so on.
+     * @exception InvalidAlgorithmParameterException if the parameters is
+     * invalid.
+     */
+    void engineInitSign(PrivateKey privateKey,
+            AlgorithmParameterSpec params, SecureRandom random)
+            throws InvalidKeyException, InvalidAlgorithmParameterException {
+        if (params != null) {
+            try {
+                engineSetParameter(params);
+            } catch (UnsupportedOperationException usoe) {
+                // error out if not overrridden
+                throw new InvalidAlgorithmParameterException(usoe);
+            }
+        }
+        engineInitSign(privateKey, random);
    }

    /**
@ -127,7 +185,7 @@ public abstract class SignatureSpi {
     * properly
     */
    protected abstract void engineUpdate(byte[] b, int off, int len)
-        throws SignatureException;
+            throws SignatureException;

    /**
     * Updates the data to be signed or verified using the specified
@ -223,7 +281,7 @@ public abstract class SignatureSpi {
     * @since 1.2
     */
    protected int engineSign(byte[] outbuf, int offset, int len)
-                        throws SignatureException {
+             throws SignatureException {
        byte[] sig = engineSign();
        if (len < sig.length) {
                throw new SignatureException
@ -251,7 +309,7 @@ public abstract class SignatureSpi {
     * process the input data provided, etc.
     */
    protected abstract boolean engineVerify(byte[] sigBytes)
-        throws SignatureException;
+            throws SignatureException;

    /**
     * Verifies the passed-in signature in the specified array
@ -273,7 +331,7 @@ public abstract class SignatureSpi {
     * @since 1.4
     */
    protected boolean engineVerify(byte[] sigBytes, int offset, int length)
-        throws SignatureException {
+            throws SignatureException {
        byte[] sigBytesCopy = new byte[length];
        System.arraycopy(sigBytes, offset, sigBytesCopy, 0, length);
        return engineVerify(sigBytesCopy);
@ -305,7 +363,7 @@ public abstract class SignatureSpi {
     */
    @Deprecated
    protected abstract void engineSetParameter(String param, Object value)
-        throws InvalidParameterException;
+            throws InvalidParameterException;

    /**
     * <p>This method is overridden by providers to initialize
@ -321,8 +379,8 @@ public abstract class SignatureSpi {
     * are inappropriate for this signature engine
     */
    protected void engineSetParameter(AlgorithmParameterSpec params)
-        throws InvalidAlgorithmParameterException {
-            throw new UnsupportedOperationException();
+            throws InvalidAlgorithmParameterException {
+        throw new UnsupportedOperationException();
    }

    /**