8216039: TLS with BC and RSASSA-PSS breaks ECDHServerKeyExchange

Add internal Signature init methods to select provider based on both key and parameter Reviewed-by: xuelei
2025-08-27 14:54:52 +02:00 · 2019-04-10 02:35:18 +00:00 · 2019-04-10 02:35:18 +00:00 · 3b6b6b3cb3
commit 3b6b6b3cb3
parent eebe346715
15 changed files with 723 additions and 177 deletions
--- a/src/java.base/share/classes/java/security/cert/X509Certificate.java
+++ b/src/java.base/share/classes/java/security/cert/X509Certificate.java
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2018, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2019, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@ -676,16 +676,14 @@ implements X509Extension {
    public void verify(PublicKey key, Provider sigProvider)
        throws CertificateException, NoSuchAlgorithmException,
        InvalidKeyException, SignatureException {
+        String sigName = getSigAlgName();
        Signature sig = (sigProvider == null)
-            ? Signature.getInstance(getSigAlgName())
-            : Signature.getInstance(getSigAlgName(), sigProvider);
+            ? Signature.getInstance(sigName)
+            : Signature.getInstance(sigName, sigProvider);

-        sig.initVerify(key);
-
-        // set parameters after Signature.initSign/initVerify call,
-        // so the deferred provider selections occur when key is set
        try {
-            SignatureUtil.specialSetParameter(sig, getSigAlgParams());
+            SignatureUtil.initVerifyWithParam(sig, key,
+                SignatureUtil.getParamSpec(sigName, getSigAlgParams()));
        } catch (ProviderException e) {
            throw new CertificateException(e.getMessage(), e.getCause());
        } catch (InvalidAlgorithmParameterException e) {