print Print
Logo: Stiftung Secure Information and Communication Technologies SIC Stiftung Secure Information and Communication Technologies SIC

IAIK-JCE 5.5 released!


We have released version 5.5 of our IAIK-JCE crypto toolkit!

Version 5.5 fixes a signature algorithm name incompatibility in JSSE algorithm constraint checking of JDK 8u141 and (maybe) later. When checking the TLS 1.2 SignatureAlgorithms extension during a TLS 1.2 handshake JSSE expects that method getSigAlgName of the server X09Certificate object returns the name of the certificate signature algorithm as JCA standard name. However, for RSA PKCS#1v1.5 signature algorithms the JCA standard naming scheme has changed from originally "<HASH>/RSA" (e.g. "SHA256/RSA") to "<HASH>withRSA" (e.g. "SHA256withRSA"). For backwards compatibility IAIK-JCE had to stay with the original notation for the getImplementationName() method of its AlgorithmID class. Since X509Certificate.getSigAlgName() calls AlgorithmID.getImplementationName(), JSSE gets the signature algorithm name in the original "<HASH>/RSA" notation when IAIK is installed as first provider, whereas JSSE expects the "<HASH>withRSA" notation. This may cause a TLS handshake to fail with a "Algorithm constraints check failed on signature algorithm: SHA256/RSA" CertPathValidatorException.

For that reason IAIK-JCE 5.5 introduces a new method getJCAStandardName in class AlgorithmID and now uses this method for returning the signature algorithm name in method getSigAlgName of its X509Certificate and X509CRL classes. This fixes the JSSE naming incompatibility but allows applications to continue to use the accustomed original RSA PKCS#1v1.5 signature algorithm name notation when calling AlgorithmID.getImplementationName(). Oracle is also aware of this issue and will fix it in future JRE versions by changing back to provider independent algorithm constraints checking.

Furthermore IAIK-JCE 5.5 implements SHA-3 based signature and HMAC algorithms and adds throughout support for using the IAIK provider without the necessity of installing it within the JCA/JCE Security framework.

See the IAIK-JCE product page for a detailed list of changes, fixes and new features and and visit our download center to get the new version.

Kind regards,
Your SIC/IAIK Java Security Team!

print Print