Re: RFR[13] JDK-8225745: NoSuchAlgorithmException exception for SHA256withECDSA with RSASSA-PSS support

Tue, 09 Jul 2019 21:13:17 -0700 

http://cr.openjdk.java.net/~valeriep/8225745/webrev.02/

On 7/9/2019 8:02 PM, Valerie Peng wrote:

Hmm, not sure why ECUtil discards the exception and returns null...
I plan to add a check inside SignatureUtil to check for null and error out to make the EC case consistent with others. Rerunning mach5 now to double check. 

Thanks for noticing this.
Valerie
On 7/8/2019 7:45 PM, Weijun Wang wrote:

SignatureUtil::getParamSpec(String,byte[]):
  126                     paramSpec = ECUtil.getECParameterSpec(p, paramBytes);
ECUtil.getECParameterSpec() could return null when "parameters.getParameterSpec(ECParameterSpec.class)" throws an InvalidParameterSpecException. So the behavior is now different from the other getParamSpec(String,AlgorithmParameters) method where the exception is wrapped into a ProviderException. Does this matter? 

Thanks,
Max
On Jul 9, 2019, at 8:09 AM, Valerie Peng <valerie.p...@oracle.com> wrote: 


Here is the updated webrev w/ ECUtil.equals() utility method:

http://cr.openjdk.java.net/~valeriep/8225745/webrev.01/

Regards,
Valerie
On 7/8/2019 12:12 PM, Valerie Peng wrote:
Right, based on the current impl, a simple "==" seems to work as it's the same NamedCurve instance inside CurveDB. Well, I could also do a bit of code refactoring and add an equals utility method to ECUtil so this may work better with 3rd party provider's impl. 

Thanks,
Valerie
On 7/2/2019 8:27 PM, Weijun Wang wrote:
   368     private static boolean isCompatible(ECParameterSpec sigParams, 
   369             ECParameterSpec keyParams) {
   370         if (sigParams == null) {
   371             // no restriction on key param
   372             return true;
   373         }
   374         return sigParams.equals(keyParams);
   375     }
What does "sigParams.equals(keyParams)" mean here? What is the getClass() of those 2 ECParameterSpec objects?
Or maybe you mean "==" because it is always a NamedCurve stored in CurveDB? 

Thanks,
Max
On Jul 3, 2019, at 10:48 AM, Valerie Peng <valerie.p...@oracle.com> wrote: 

Hi
Any one can help reviewing this fix? Some ECDSA certificates contains signature algorithm identifiers with non-null parameter bytes. Before RSASSA-PSS support, these parameter bytes are ignored, however, after RSASSA-PSS support, the parameter bytes are passed to the underlying signature impl and this breaks the ECDSA certificate verification. In order for the verification to succeeds, the SignatureUtil class needs to be able to parse the parameter bytes for ECDSA certificate and that SunEC provider needs to accept non-null signature parameters. 

Bug: https://bugs.openjdk.java.net/browse/JDK-8225745
Webrev: http://cr.openjdk.java.net/~valeriep/8225745/webrev.00/

Mach5 run is clean.

Thanks,
Valerie

Reply via email to