--- old/src/java.base/share/classes/sun/security/x509/X509CertImpl.java	2019-04-10 18:52:31.811254300 -0400
+++ new/src/java.base/share/classes/sun/security/x509/X509CertImpl.java	2019-04-10 18:52:30.909164100 -0400
@@ -422,16 +422,18 @@
         }
         // Verify the signature ...
         Signature sigVerf = null;
-        String sigName = algId.getName();
         if (sigProvider.isEmpty()) {
-            sigVerf = Signature.getInstance(sigName);
+            sigVerf = Signature.getInstance(algId.getName());
         } else {
-            sigVerf = Signature.getInstance(sigName, sigProvider);
+            sigVerf = Signature.getInstance(algId.getName(), sigProvider);
         }
 
+        sigVerf.initVerify(key);
+
+        // set parameters after Signature.initSign/initVerify call,
+        // so the deferred provider selection happens when key is set
         try {
-            SignatureUtil.initVerifyWithParam(sigVerf, key,
-                SignatureUtil.getParamSpec(sigName, getSigAlgParams()));
+            SignatureUtil.specialSetParameter(sigVerf, getSigAlgParams());
         } catch (ProviderException e) {
             throw new CertificateException(e.getMessage(), e.getCause());
         } catch (InvalidAlgorithmParameterException e) {
@@ -476,16 +478,18 @@
         }
         // Verify the signature ...
         Signature sigVerf = null;
-        String sigName = algId.getName();
         if (sigProvider == null) {
-            sigVerf = Signature.getInstance(sigName);
+            sigVerf = Signature.getInstance(algId.getName());
         } else {
-            sigVerf = Signature.getInstance(sigName, sigProvider);
+            sigVerf = Signature.getInstance(algId.getName(), sigProvider);
         }
 
+        sigVerf.initVerify(key);
+
+        // set parameters after Signature.initSign/initVerify call,
+        // so the deferred provider selection happens when key is set
         try {
-            SignatureUtil.initVerifyWithParam(sigVerf, key,
-                SignatureUtil.getParamSpec(sigName, getSigAlgParams()));
+            SignatureUtil.specialSetParameter(sigVerf, getSigAlgParams());
         } catch (ProviderException e) {
             throw new CertificateException(e.getMessage(), e.getCause());
         } catch (InvalidAlgorithmParameterException e) {
@@ -583,19 +587,22 @@
             InvalidKeyException, InvalidAlgorithmParameterException,
             NoSuchProviderException, SignatureException {
         try {
-            if (readOnly) {
+            if (readOnly)
                 throw new CertificateEncodingException(
-                        "cannot over-write existing certificate");
-            }
+                              "cannot over-write existing certificate");
             Signature sigEngine = null;
-            if (provider == null || provider.isEmpty()) {
+            if (provider == null || provider.isEmpty())
                 sigEngine = Signature.getInstance(algorithm);
-            } else {
+            else
                 sigEngine = Signature.getInstance(algorithm, provider);
-            }
 
-            SignatureUtil.initSignWithParam(sigEngine, key, signingParams,
-                    null);
+            sigEngine.initSign(key);
+
+            if (signingParams != null) {
+                // set parameters after Signature.initSign/initVerify call, so
+                // the deferred provider selection happens when the key is set
+                sigEngine.setParameter(signingParams);
+            }
 
             // in case the name is reset
             if (signingParams != null) {