Don't know if you've noticed, but JDK-8146293 is marked as "In Progress".
The companion JSSE bug is: JDK-8166595.
Brad
On 6/9/2017 2:19 AM, Bernd Eckenfels wrote:
Hello,
Are there any plans to support RSA PSS as a Signature algorithm?
https://bugs.openjdk.java.net/browse/JDK-8146293
In the german energy market RSA PSS is used for signing messages, and
authorities demand to use it also for certificate signatures (RFC 4055)
starting with 2018. This is somewhat paranoid but hey, it's a field
requirement.
At the moment BouncyCastle can be used as a Signature provider and if
also used to create X509Certificate objects it can even verify the
Signature.
BTW: when the BC provider is registered the JDK X509Certificate.verify()
finds the RSA PSS OID and uses the BC implementation, however the
verification fails for non-Standard parameters (which is not uncommon
since people try to avoid SHA1 in MFG1j as it does not parse and set the
aproperiate parameters.
I wonder if the modularity of X509Certificate could be enhanced to allow
that? Having an option to extract ParameterSpec from a random signature
block would certainly be a nice feature (similar to looking up the
algorithm itself by OID)
BTW there was some discussion on PKCS#11 supporting it - I think the
Athena PKCS11 lib with their JCOS based IDProtect tokens supports RSAPSS
as an mechanism.
But I guess that are three different topic, JCE Signature,
X509CertExtension and PKCS11 mechanism.
Gruss
Bernd
--
http://bernd.eckenfels.net