8223940: Private key not supported by chosen signature algorithm

Reviewed-by: valeriep
2025-08-28 15:24:43 +02:00 · 2019-11-06 09:45:04 -08:00 · 2019-11-06 09:45:04 -08:00 · b7f557e5c7
commit b7f557e5c7
parent 7fbb1f5ae1
4 changed files with 102 additions and 77 deletions
--- a/src/java.base/share/classes/sun/security/ssl/ECDHServerKeyExchange.java
+++ b/src/java.base/share/classes/sun/security/ssl/ECDHServerKeyExchange.java
@ -38,7 +38,7 @@ import java.security.Signature;
 import java.security.SignatureException;
 import java.text.MessageFormat;
 import java.util.Locale;
-import sun.security.ssl.NamedGroup.NamedGroupSpec;
+import java.util.Map;
 import sun.security.ssl.SSLHandshake.HandshakeMessage;
 import sun.security.ssl.SupportedGroupsExtension.SupportedGroups;
 import sun.security.ssl.X509Authentication.X509Credentials;
@ -135,27 +135,22 @@ final class ECDHServerKeyExchange {
                        shc.negotiatedProtocol.useTLS12PlusSpec();
                Signature signer = null;
                if (useExplicitSigAlgorithm) {
-                    signatureScheme = SignatureScheme.getPreferableAlgorithm(
-                            shc.algorithmConstraints,
-                            shc.peerRequestedSignatureSchemes,
-                            x509Possession,
-                            shc.negotiatedProtocol);
-                    if (signatureScheme == null) {
+                    Map.Entry<SignatureScheme, Signature> schemeAndSigner =
+                            SignatureScheme.getSignerOfPreferableAlgorithm(
+                                shc.algorithmConstraints,
+                                shc.peerRequestedSignatureSchemes,
+                                x509Possession,
+                                shc.negotiatedProtocol);
+                    if (schemeAndSigner == null) {
                        // Unlikely, the credentials generator should have
                        // selected the preferable signature algorithm properly.
                        throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
-                                "No preferred signature algorithm for " +
+                                "No supported signature algorithm for " +
                                x509Possession.popPrivateKey.getAlgorithm() +
                                "  key");
-                    }
-                    try {
-                        signer = signatureScheme.getSignature(
-                                x509Possession.popPrivateKey);
-                    } catch (NoSuchAlgorithmException | InvalidKeyException |
-                            InvalidAlgorithmParameterException nsae) {
-                        throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
-                            "Unsupported signature algorithm: " +
-                            signatureScheme.name, nsae);
+                    } else {
+                        signatureScheme = schemeAndSigner.getKey();
+                        signer = schemeAndSigner.getValue();
                    }
                } else {
                    signatureScheme = null;
@ -276,7 +271,7 @@ final class ECDHServerKeyExchange {
            Signature signer;
            if (useExplicitSigAlgorithm) {
                try {
-                    signer = signatureScheme.getSignature(
+                    signer = signatureScheme.getVerifier(
                            x509Credentials.popPublicKey);
                } catch (NoSuchAlgorithmException | InvalidKeyException |
                        InvalidAlgorithmParameterException nsae) {