[FEATURE REQ] Make key less can work with jdk1.8 version lower than 262.

[zhichengliu12581]

Key less function have these questions when the jdk1.8 version is lower than 262.

1. When using a browser access which certificate key length is longer than 256, can't provide signature。
2. When using client(SSLContext) access which certificate key length is shorter than 512, can't provide signature.
3. We don't support key less with RSA certificate.

[zhichengliu12581]

Points 1 and 2: When a lower version of jdk selects the signature algorithm supported, the certificate size will not affect the selection process. Caused the problem: When selecting the signature algorithm, the certificate in the keyvault does not support the selected algorithm. For example, the certificate of elliptic curve P-256 cannot be signed with SHA-512. When using a browser to access a resource (Web application), SHA-256 will be used first, so if the resource uses a P-512 certificate, the signature will fail. When using the client (SSLContext) to access the resource, first use SHA-512. If the resource uses a P-256 certificate, the signature will fail.

The temporary solution is add Security.setProperty("jdk.tls.disabledAlgorithms", "SHA256withECDSA,SHA512withECDSA,SHA512withRSA,SHA384withRSA"); in application to disable the Algorithms which shouldn't support. This is not a good solution.

Point 3: JDK doesn't support RSASSA-PSS before 262, we should add the SHA256withRSA,SHA384withRSA,SHA512withRSA for the lower version.

[saragluna]

Best practice should be only supporting the latest version of JDK.

[zhichengliu12581]

We don't support this feature because in version lower than 262, which can't support RSA256 and RSA512 at the same time. Also need to add Security.setProperty("jdk.tls.disabledAlgorithms", "SHA512withRSA,SHA384withRSA"); in different situations.