mirror of
https://github.com/openjdk/jdk.git
synced 2025-08-27 06:45:07 +02:00
8223940: Private key not supported by chosen signature algorithm
Reviewed-by: valeriep
This commit is contained in:
Xue-Lei Andrew Fan
parent
7fbb1f5ae1
commit
b7f557e5c7
4 changed files with 102 additions and 77 deletions
|
|
@ -31,6 +31,7 @@ import java.security.*;
|
|||
import java.text.MessageFormat;
|
||||
import java.util.Arrays;
|
||||
import java.util.Locale;
|
||||
import java.util.Map;
|
||||
import sun.security.ssl.SSLHandshake.HandshakeMessage;
|
||||
import sun.security.ssl.X509Authentication.X509Credentials;
|
||||
import sun.security.ssl.X509Authentication.X509Possession;
|
||||
|
|
@ -563,31 +564,28 @@ final class CertificateVerify {
|
|||
|
||||
// This happens in client side only.
|
||||
ClientHandshakeContext chc = (ClientHandshakeContext)context;
|
||||
this.signatureScheme = SignatureScheme.getPreferableAlgorithm(
|
||||
Map.Entry<SignatureScheme, Signature> schemeAndSigner =
|
||||
SignatureScheme.getSignerOfPreferableAlgorithm(
|
||||
chc.algorithmConstraints,
|
||||
chc.peerRequestedSignatureSchemes,
|
||||
x509Possession,
|
||||
chc.negotiatedProtocol);
|
||||
if (signatureScheme == null) {
|
||||
if (schemeAndSigner == null) {
|
||||
// Unlikely, the credentials generator should have
|
||||
// selected the preferable signature algorithm properly.
|
||||
throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
|
||||
"No preferred signature algorithm for CertificateVerify");
|
||||
"No supported CertificateVerify signature algorithm for " +
|
||||
x509Possession.popPrivateKey.getAlgorithm() +
|
||||
" key");
|
||||
}
|
||||
|
||||
this.signatureScheme = schemeAndSigner.getKey();
|
||||
byte[] temproary = null;
|
||||
try {
|
||||
Signature signer =
|
||||
signatureScheme.getSignature(x509Possession.popPrivateKey);
|
||||
Signature signer = schemeAndSigner.getValue();
|
||||
signer.update(chc.handshakeHash.archived());
|
||||
temproary = signer.sign();
|
||||
} catch (NoSuchAlgorithmException |
|
||||
InvalidAlgorithmParameterException nsae) {
|
||||
throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
|
||||
"Unsupported signature algorithm (" +
|
||||
signatureScheme.name +
|
||||
") used in CertificateVerify handshake message", nsae);
|
||||
} catch (InvalidKeyException | SignatureException ikse) {
|
||||
} catch (SignatureException ikse) {
|
||||
throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
|
||||
"Cannot produce CertificateVerify signature", ikse);
|
||||
}
|
||||
|
|
@ -647,7 +645,7 @@ final class CertificateVerify {
|
|||
this.signature = Record.getBytes16(m);
|
||||
try {
|
||||
Signature signer =
|
||||
signatureScheme.getSignature(x509Credentials.popPublicKey);
|
||||
signatureScheme.getVerifier(x509Credentials.popPublicKey);
|
||||
signer.update(shc.handshakeHash.archived());
|
||||
if (!signer.verify(signature)) {
|
||||
throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
|
||||
|
|
@ -865,18 +863,23 @@ final class CertificateVerify {
|
|||
X509Possession x509Possession) throws IOException {
|
||||
super(context);
|
||||
|
||||
this.signatureScheme = SignatureScheme.getPreferableAlgorithm(
|
||||
Map.Entry<SignatureScheme, Signature> schemeAndSigner =
|
||||
SignatureScheme.getSignerOfPreferableAlgorithm(
|
||||
context.algorithmConstraints,
|
||||
context.peerRequestedSignatureSchemes,
|
||||
x509Possession,
|
||||
context.negotiatedProtocol);
|
||||
if (signatureScheme == null) {
|
||||
if (schemeAndSigner == null) {
|
||||
// Unlikely, the credentials generator should have
|
||||
// selected the preferable signature algorithm properly.
|
||||
throw context.conContext.fatal(Alert.INTERNAL_ERROR,
|
||||
"No preferred signature algorithm for CertificateVerify");
|
||||
"No supported CertificateVerify signature algorithm for " +
|
||||
x509Possession.popPrivateKey.getAlgorithm() +
|
||||
" key");
|
||||
}
|
||||
|
||||
this.signatureScheme = schemeAndSigner.getKey();
|
||||
|
||||
byte[] hashValue = context.handshakeHash.digest();
|
||||
byte[] contentCovered;
|
||||
if (context.sslConfig.isClientMode) {
|
||||
|
|
@ -893,17 +896,10 @@ final class CertificateVerify {
|
|||
|
||||
byte[] temproary = null;
|
||||
try {
|
||||
Signature signer =
|
||||
signatureScheme.getSignature(x509Possession.popPrivateKey);
|
||||
Signature signer = schemeAndSigner.getValue();
|
||||
signer.update(contentCovered);
|
||||
temproary = signer.sign();
|
||||
} catch (NoSuchAlgorithmException |
|
||||
InvalidAlgorithmParameterException nsae) {
|
||||
throw context.conContext.fatal(Alert.INTERNAL_ERROR,
|
||||
"Unsupported signature algorithm (" +
|
||||
signatureScheme.name +
|
||||
") used in CertificateVerify handshake message", nsae);
|
||||
} catch (InvalidKeyException | SignatureException ikse) {
|
||||
} catch (SignatureException ikse) {
|
||||
throw context.conContext.fatal(Alert.HANDSHAKE_FAILURE,
|
||||
"Cannot produce CertificateVerify signature", ikse);
|
||||
}
|
||||
|
|
@ -974,7 +970,7 @@ final class CertificateVerify {
|
|||
|
||||
try {
|
||||
Signature signer =
|
||||
signatureScheme.getSignature(x509Credentials.popPublicKey);
|
||||
signatureScheme.getVerifier(x509Credentials.popPublicKey);
|
||||
signer.update(contentCovered);
|
||||
if (!signer.verify(signature)) {
|
||||
throw context.conContext.fatal(Alert.HANDSHAKE_FAILURE,
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue