Re: [10] RFR: 8182143: SHA224-based signature algorithms are not enabled for TLSv12 on Windows

Thu, 15 Jun 2017 18:13:08 -0700

That sounds strange to me. I assume that if an algorithm is provided by a provider on all platforms, then it should work on all platforms no matter what. I am not sure that I really understand the problem, but probably it's about some problems that may occur if multiple providers are used together when for a TLS connection. I may guess that the problem may be in incompatibility of key implementations for different providers. If so, this looks like an issue to me. Please correct me if I am wrong.
Probably there may be some specific case which fails, but SignatureAlgorithms.java test works fine now, and seems like SHA224 can be successfully used for establishing a connection. 


I am okay to back out the fix, but it would be good to have a testcase 
which shows the problem why the fix should be backed out. Then, we can 
work on a solution for that.


Artem


On 06/15/2017 04:37 PM, Xuelei Fan wrote:

Hi Bernd,


Thanks for the correction.  I really missed the point that there are 
issues to enabled SHA-224 for SunMSCAPI provider.


On 6/15/2017 4:06 PM, Bernd Eckenfels wrote:

Hello,


If I recall correctly the idea of disabling those algorithms if 
SunMSCAPI IS(!) present was to avoid agreeing on a Signature 
algorithm which could not be supported by RSA offloaded keys inside 
CryptoAPI.



Having said that the suggested ciphers might need to be made 
dependent on the capabilities of the Signature provider for a given 
key type (especially if it is a key handle only).



Agreed.  Besides, we may check the availability of each signature and 
hash algorithms, rather than hard-coded them.  I filed a new bug for 
the tracking:

   https://bugs.openjdk.java.net/browse/JDK-8182318

Thanks & Regards,
Xuelei


Has this changed and the signatures are supported now by MSCapi?

Gruss
Bernd
--
http://bernd.eckenfels.net
------------------------------------------------------------------------

*From:* security-dev <[email protected]> on 
behalf of Artem Smotrakov <[email protected]>

*Sent:* Thursday, June 15, 2017 10:57:00 PM
*To:* Xuelei Fan; Security Dev OpenJDK

*Subject:* [10] RFR: 8182143: SHA224-based signature algorithms are 
not enabled for TLSv12 on Windows

Hi Xuelei,

Could you please take a look at this patch?

It enables SHA224-based signature algorithms on Windows since they
should be provided not only by SunMSCAPI provider. Please see details in
the bug description.

The test works fine on all supported platforms.

Bug: https://bugs.openjdk.java.net/browse/JDK-8182143
Webrev: http://cr.openjdk.java.net/~asmotrak/8182143/webrev.00/

Artem
























					Reply via email to