Uploaded image for project: 'EJBCA'
  1. EJBCA
  2. ECA-9679

Signing with RSASSA-PSS not working in OpenJDK 8u272/11.0.6 without Java patch

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: EJBCA 7.4.3.2
    • Component/s: None
    • Environment:
      OracleJDK since 8u241
      OpenJDK since 8u272
      OpenJDK since 11.0.6
    • Issue discovered during:
      Customer
    • Sprint:
      EJBCA Team Alice - 2020 w50

      Description

      The signature algorithm SHA256WithRSAAndMGF1 is supported in the Sun PKCS#11 provider since Oracle JDK 8u241 but with a different name.
      It was previously added in OpenJDK and working as SHA256WithRSAAndMGF1. However the backport in OpenJDK 8u272 broke this.

      In the backport the signature algorithm name "SHA256withRSASSA-PSS" seems to be used instead of "SHA256WithRSAAndMGF1" (untested).

      Since there are Java versions out there using either of the names, we still need support for the old name to not have to force Java upgrades.

      • OpenJDK between u242 (something) and u272
      • OpenJDK u272 and later
      • OpenJDK with our patch to add the algorithm to SunPKCS11

      Relevant issues in OracleJDK and OpenJDK:
      https://bugs.java.com/bugdatabase/view_bug.do?bug_id=JDK-8080462
      https://bugs.openjdk.java.net/browse/JDK-8080462
      https://bugs.openjdk.java.net/browse/JDK-8232950

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              tomas Tomas Gustavsson
              Reporter:
              rubinaa Rubina Akram
              Verified by:
              Henrik Sunmark
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: