search

google / conscrypt

Conscrypt is a Java Security Provider that implements parts of the Java Cryptography Extension and Java Secure Socket Extension.
Apache License 2.0
1.24k stars 264 forks source link

keytool now calls Signature.getParameters() and Conscrypt throws UnsupportedOperationException #878

Open space88man opened 3 years ago

space88man commented 3 years ago

Newer keytool (sun.security.tools.keytool.Main) in JDK8u > 242, and JDK11 calls Signature.getParameters() from PKCS10.encodeAndSign() and the Conscrypt provider throws UnsupportedOperationException.

Possibly Conscrypt should return null, like SunEC, and recommended in the docs, https://docs.oracle.com/javase/8/docs/api/java/security/Signature.html.

# Override SunEC
cat > conscrypt.properties <<EOF
# in the default installation SunEC is .3
security.provider.3=org.conscrypt.OpenSSLProvider
EOF

# -genkeypair
$ java -cp ../lib/conscrypt-openjdk-uber-2.5.0.jar -Djava.security.properties=conscrypt.properties  \
    sun.security.tools.keytool.Main  -v  -keystore 0.p12 -storetype PKCS12 -storepass password \
    -genkeypair -alias ecpair -keyalg ec -keysize 256 -dname CN=ecpair
Generating 256 bit EC key pair and self-signed certificate (SHA256withECDSA) with a validity of 90 days
    for: CN=ecpair
[Storing 0.p12]
# Observation: -genkeypair signs the TBSCertificate, but does not call Signature.getParameters() hence
# this works

# -certreq
$ java -cp ../lib/conscrypt-openjdk-uber-2.5.0.jar -Djava.security.properties=conscrypt.properties \
    sun.security.tools.keytool.Main  -v  -keystore 0.p12 -storetype PKCS12 -storepass password \
    -certreq -alias ecpair -file ecpair.req
keytool error: java.lang.UnsupportedOperationException
java.lang.UnsupportedOperationException
    at java.security.SignatureSpi.engineGetParameters(SignatureSpi.java:404)
    at java.security.Signature$Delegate.engineGetParameters(Signature.java:1431)
    at java.security.Signature.getParameters(Signature.java:1006)
    at sun.security.pkcs10.PKCS10.encodeAndSign(PKCS10.java:244)
    at sun.security.tools.keytool.Main.doCertReq(Main.java:1470)
    at sun.security.tools.keytool.Main.doCommands(Main.java:979)
    at sun.security.tools.keytool.Main.run(Main.java:370)
    at sun.security.tools.keytool.Main.main(Main.java:363)

Tested on Fedora 32 with:

space88man commented 3 years ago

Post-JDK8u242 the implementation of PKCS10.encodeAndSign() has changed, it now calls Signature.getParameters() which in turn in calls engineGetParameters().

The SunEC implementation returns null; both Conscrypt and BouncyCastle throw UnsupportedOperationException.