--- old/src/java.base/share/classes/sun/security/pkcs10/PKCS10.java 2018-05-11 15:04:23.009290500 -0700 +++ new/src/java.base/share/classes/sun/security/pkcs10/PKCS10.java 2018-05-11 15:04:22.361623600 -0700 @@ -1,5 +1,5 @@ /* - * Copyright (c) 1996, 2013, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1996, 2018, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -31,11 +31,8 @@ import java.math.BigInteger; import java.security.cert.CertificateException; -import java.security.NoSuchAlgorithmException; -import java.security.InvalidKeyException; -import java.security.Signature; -import java.security.SignatureException; -import java.security.PublicKey; +import java.security.*; +import java.security.spec.AlgorithmParameterSpec; import java.util.Base64; @@ -43,6 +40,8 @@ import sun.security.x509.AlgorithmId; import sun.security.x509.X509Key; import sun.security.x509.X500Name; +import sun.security.util.SignatureUtil; + /** * A PKCS #10 certificate request is created and sent to a Certificate @@ -169,12 +168,23 @@ try { sigAlg = id.getName(); sig = Signature.getInstance(sigAlg); + + // set parameters before Signature.initSign/initVerify call, + // so key can be checked when it's set + SignatureUtil.specialSetParameter(sig, id.getParameters()); + sig.initVerify(subjectPublicKeyInfo); sig.update(data); - if (!sig.verify(sigData)) + if (!sig.verify(sigData)) { throw new SignatureException("Invalid PKCS #10 signature"); + } } catch (InvalidKeyException e) { - throw new SignatureException("invalid key"); + throw new SignatureException("Invalid key"); + } catch (InvalidAlgorithmParameterException e) { + throw new SignatureException("Invalid signature parameters", e); + } catch (ProviderException e) { + throw new SignatureException("Error parsing signature parameters", + e.getCause()); } }