Webrev updated at
http://cr.openjdk.java.net/~weijun/8242068/webrev.01/
Two major changes:
1. Always use the signature algorithm directly in
SignerInfo::signatureAlgorithm:
In PKCS7 SignerInfo
SignerInfo ::= SEQUENCE {
version CMSVersion,
sid SignerIdentifier,
digestAlgorithm DigestAlgorithmIdentifier,
signedAttrs [0] IMPLICIT SignedAttributes OPTIONAL,
signatureAlgorithm SignatureAlgorithmIdentifier,
signature SignatureValue,
unsignedAttrs [1] IMPLICIT UnsignedAttributes OPTIONAL }
We have always been putting "SHA-1" etc into DigestAlgorithmIdentifier, and
"RSA", "DSA", "EC" into signatureAlgorithm.
The latest https://tools.ietf.org/html/rfc5652#section-10.1.2 claims it to be
The SignatureAlgorithmIdentifier type identifies a signature
algorithm, and it can also identify a message digest algorithm.
Examples include RSA, DSA, DSA with SHA-1, ECDSA, and ECDSA with
SHA-256.
It's complicated to always divide a signature algorithm into a digest algorithm
and an encryption algorithm (and with the new RSASSA-PSS and EdDSA it's not
easy to define it), therefore I decide to use the signature algorithm directly
from now on. Fortunately Java has been able to parse this for a very long time
so there is no compatibility issue. I noticed BouncyCastle has been doing the
same, and OpenSSL too except for RSA.
2. Support both SHAKE256 and SHAKE256-LEN while parsing a Ed448 SignerInfo.
They are both described in https://www.rfc-editor.org/rfc/rfc8419.html although
it's a little complicated. To be standard compliant
(https://www.rfc-editor.org/rfc/rfc8419.html#section-3.2 and we don't use
Signed Attributes), by default Java will use SHAKE256 as the digestAlgorithm.
However I noticed BouncyCastle does not recognize it, so if you set the system
property "jdk.security.pkcs7.ed448.digalg.haslen" to "true", it will use
SHAKE256-LEN (len == 512). I haven't described this system property in the CSR
yet.
Thanks,
Max
> On May 22, 2020, at 10:30 PM, Weijun Wang <[email protected]> wrote:
>
> Please take a review at
>
> CSR : https://bugs.openjdk.java.net/browse/JDK-8245274
> webrev : http://cr.openjdk.java.net/~weijun/8242068/webrev.00/
>
> Major points in CSR:
>
> - new sigalg "RSASSA-PSS", "EdDSA", "Ed25519" and "Ed448" can be used in
> jarsigner
>
> - The ".RSA" and ".EC" block extension types (PKCS #7 SignedData inside a
> signed JAR) are reused for new signature algorithms
>
> major code changes:
>
> - Move signature related utilities methods from AlgorithmId.java to
> SignatureUtil.java
>
> - Add new SignatureUtil methods fromKey() and fromSignature() to simplify
> creating Signature and getting its AlgorithmId
>
> - Use the new methods in PKCS10, X509CertImpl, and X509CRLImpl signing
>
> - Add a new (and intuitive, IMHO) PKCS7::generateNewSignedData capable of all
> old and new signature algorithms
>
> - Mark all -altsign related code deprecated and they can be removed once
> ContentSigner is removed
>
> Next I'll do some basic interop tests with openssl and BouncyCastle.
>
> Thanks,
> Max
>
