8216039: TLS with BC and RSASSA-PSS breaks ECDHServerKeyExchange

Add internal Signature init methods to select provider based on both key and parameter Reviewed-by: xuelei
2025-08-28 15:24:43 +02:00 · 2019-04-10 02:35:18 +00:00 · 2019-04-10 02:35:18 +00:00 · 3b6b6b3cb3
commit 3b6b6b3cb3
parent eebe346715
15 changed files with 723 additions and 177 deletions
--- a/src/java.base/share/classes/sun/security/util/SignatureUtil.java
+++ b/src/java.base/share/classes/sun/security/util/SignatureUtil.java
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2018, 2019, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@ -29,6 +29,7 @@ import java.io.IOException;
 import java.security.*;
 import java.security.spec.*;
 import sun.security.rsa.RSAUtil;
+import jdk.internal.access.SharedSecrets;

 /**
 * Utility class for Signature related operations. Currently used by various
@ -39,12 +40,25 @@ import sun.security.rsa.RSAUtil;
 */
 public class SignatureUtil {

+    private static String checkName(String algName) throws ProviderException {
+        if (algName.indexOf(".") == -1) {
+            return algName;
+        }
+        // convert oid to String
+        try {
+            return Signature.getInstance(algName).getAlgorithm();
+        } catch (Exception e) {
+            throw new ProviderException("Error mapping algorithm name", e);
+        }
+    }
+
    // Utility method of creating an AlgorithmParameters object with
    // the specified algorithm name and encoding
    private static AlgorithmParameters createAlgorithmParameters(String algName,
            byte[] paramBytes) throws ProviderException {

        try {
+            algName = checkName(algName);
            AlgorithmParameters result =
                AlgorithmParameters.getInstance(algName);
            result.init(paramBytes);
@ -54,52 +68,81 @@ public class SignatureUtil {
        }
    }

-    private static AlgorithmParameterSpec getParamSpec(String sigName,
+    // Utility method for converting the specified AlgorithmParameters object
+    // into an AlgorithmParameterSpec object.
+    public static AlgorithmParameterSpec getParamSpec(String sigName,
            AlgorithmParameters params)
-            throws InvalidAlgorithmParameterException, ProviderException {
+            throws ProviderException {

-        if (params == null) return null;
-
-        if (sigName.toUpperCase().indexOf("RSA") == -1) {
-            throw new ProviderException
-                 ("Unrecognized algorithm for signature parameters " +
-                  sigName);
-        }
-        // AlgorithmParameters.getAlgorithm() may returns oid if it's
-        // created during DER decoding. Convert to use the standard name
-        // before passing it to RSAUtil
-        String alg = params.getAlgorithm();
-        if (alg.equalsIgnoreCase(sigName) || alg.indexOf(".") != -1) {
-            try {
-                params = createAlgorithmParameters(sigName,
-                    params.getEncoded());
-            } catch (IOException e) {
-                throw new ProviderException(e);
+        sigName = checkName(sigName);
+        AlgorithmParameterSpec paramSpec = null;
+        if (params != null) {
+            if (sigName.toUpperCase().indexOf("RSA") == -1) {
+                throw new ProviderException
+                    ("Unrecognized algorithm for signature parameters " +
+                     sigName);
            }
+            // AlgorithmParameters.getAlgorithm() may returns oid if it's
+            // created during DER decoding. Convert to use the standard name
+            // before passing it to RSAUtil
+            if (params.getAlgorithm().indexOf(".") != -1) {
+                try {
+                    params = createAlgorithmParameters(sigName,
+                        params.getEncoded());
+                } catch (IOException e) {
+                    throw new ProviderException(e);
+                }
+            }
+            paramSpec = RSAUtil.getParamSpec(params);
        }
-        return RSAUtil.getParamSpec(params);
+        return paramSpec;
    }

-    // Special method for setting the specified parameter bytes into the
-    // specified Signature object as signature parameters.
-    public static void specialSetParameter(Signature sig, byte[] paramBytes)
-            throws InvalidAlgorithmParameterException, ProviderException {
+    // Utility method for converting the specified parameter bytes into an
+    // AlgorithmParameterSpec object.
+    public static AlgorithmParameterSpec getParamSpec(String sigName,
+            byte[] paramBytes)
+            throws ProviderException {
+        sigName = checkName(sigName);
+        AlgorithmParameterSpec paramSpec = null;
        if (paramBytes != null) {
-            String sigName = sig.getAlgorithm();
+            if (sigName.toUpperCase().indexOf("RSA") == -1) {
+                throw new ProviderException
+                     ("Unrecognized algorithm for signature parameters " +
+                      sigName);
+            }
            AlgorithmParameters params =
                createAlgorithmParameters(sigName, paramBytes);
-            specialSetParameter(sig, params);
+            paramSpec = RSAUtil.getParamSpec(params);
        }
+        return paramSpec;
    }

-    // Special method for setting the specified AlgorithmParameter object
-    // into the specified Signature object as signature parameters.
-    public static void specialSetParameter(Signature sig,
-            AlgorithmParameters params)
-            throws InvalidAlgorithmParameterException, ProviderException {
-        if (params != null) {
-            String sigName = sig.getAlgorithm();
-            sig.setParameter(getParamSpec(sigName, params));
-        }
+    // Utility method for initializing the specified Signature object
+    // for verification with the specified key and params (may be null)
+    public static void initVerifyWithParam(Signature s, PublicKey key,
+            AlgorithmParameterSpec params)
+            throws ProviderException, InvalidAlgorithmParameterException,
+            InvalidKeyException {
+        SharedSecrets.getJavaSecuritySignatureAccess().initVerify(s, key, params);
+    }
+
+    // Utility method for initializing the specified Signature object
+    // for verification with the specified Certificate and params (may be null)
+    public static void initVerifyWithParam(Signature s,
+            java.security.cert.Certificate cert,
+            AlgorithmParameterSpec params)
+            throws ProviderException, InvalidAlgorithmParameterException,
+            InvalidKeyException {
+        SharedSecrets.getJavaSecuritySignatureAccess().initVerify(s, cert, params);
+    }
+
+    // Utility method for initializing the specified Signature object
+    // for signing with the specified key and params (may be null)
+    public static void initSignWithParam(Signature s, PrivateKey key,
+            AlgorithmParameterSpec params, SecureRandom sr)
+            throws ProviderException, InvalidAlgorithmParameterException,
+            InvalidKeyException {
+        SharedSecrets.getJavaSecuritySignatureAccess().initSign(s, key, params, sr);
    }
 }