java - Java - アルゴリズム制約チェックが署名アルゴリズムで失敗しました: SSLContext で LDAP 接続を開こうとすると RSASSA-PSS

Question

SSLContext を使用して LDAP 接続を開こうとすると、以下のような証明書検証エラーが発生します。

javax.naming.CommunicationException: simple bind failed: <Host>:636 [Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Certificates do not conform to algorithm constraints]
    at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:219)
    at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2791)
    at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319)
    at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192)
    at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210)
    at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153)
    at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83)
    at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
    at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313)
    at javax.naming.InitialContext.init(InitialContext.java:244)
    at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:154)
Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Certificates do not conform to algorithm constraints
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:198)
    at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1967)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:333)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:327)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1689)
    at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:226)
    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1084)
    at sun.security.ssl.Handshaker.process_record(Handshaker.java:1012)
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1079)
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1388)
    at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:765)
    at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:123)
    at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)
    at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)
    at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:441)
    at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:414)
    at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:359)
    at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:214)
    ... 91 more
Caused by: java.security.cert.CertificateException: Certificates do not conform to algorithm constraints
    at sun.security.ssl.AbstractTrustManagerWrapper.checkAlgorithmConstraints(SSLContextImpl.java:1236)
    at sun.security.ssl.AbstractTrustManagerWrapper.checkAdditionalTrust(SSLContextImpl.java:1158)
    at sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(SSLContextImpl.java:1100)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1671)
    ... 104 more
Caused by: java.security.cert.CertPathValidatorException: Algorithm constraints check failed on signature algorithm: RSASSA-PSS
    at sun.security.provider.certpath.AlgorithmChecker.check(AlgorithmChecker.java:278)
    at sun.security.ssl.AbstractTrustManagerWrapper.checkAlgorithmConstraints(SSLContextImpl.java:1232)
    ... 107 more

以下のようにプロバイダーと署名アルゴリズムを印刷することにより、最新の Zulu JDK 8u252 で RSASSA-PSS アルゴリズムがサポートされていることを確認しました。

Provider p[] = Security.getProviders();
for (int i = 0; i < p.length; i++) {
    log.debug(p[i].toString());
    for (Enumeration e = p[i].keys(); e.hasMoreElements();)
        log.debug("\t" + e.nextElement());
}

Will print Signature.RSASSA-PSS in one of the log line

また、KeyFactory.getInstance("RSASSA-PSS") を実行すると、以下が署名アルゴリズムの詳細です。

result = {SunRsaSign@17319}  size = 60
 "Alg.Alias.AlgorithmParameters.OID.1.2.840.113549.1.1.10" -> "RSASSA-PSS"
 "Signature.SHA224withRSA SupportedKeyClasses" -> "java.security.interfaces.RSAPublicKey|java.security.interfaces.RSAPrivateKey"
 "Alg.Alias.Signature.OID.1.2.840.113549.1.1.2" -> "MD2withRSA"
 "Provider.id name" -> "SunRsaSign"
 "Signature.SHA224withRSA" -> "sun.security.rsa.RSASignature$SHA224withRSA"
 "Signature.RSASSA-PSS" -> "sun.security.rsa.RSAPSSSignature"
 "Signature.SHA512withRSA" -> "sun.security.rsa.RSASignature$SHA512withRSA"
 "Signature.MD5withRSA SupportedKeyClasses" -> "java.security.interfaces.RSAPublicKey|java.security.interfaces.RSAPrivateKey"
 "Signature.MD2withRSA" -> "sun.security.rsa.RSASignature$MD2withRSA"
 "Signature.SHA512/256withRSA" -> "sun.security.rsa.RSASignature$SHA512_256withRSA"
 "Signature.MD2withRSA SupportedKeyClasses" -> "java.security.interfaces.RSAPublicKey|java.security.interfaces.RSAPrivateKey"
 "KeyFactory.RSASSA-PSS" -> "sun.security.rsa.RSAKeyFactory$PSS"
 "Alg.Alias.KeyPairGenerator.OID.1.2.840.113549.1.1.10" -> "RSASSA-PSS"
 "Alg.Alias.KeyFactory.OID.1.2.840.113549.1.1.10" -> "RSASSA-PSS"
 "Alg.Alias.KeyPairGenerator.OID.1.2.840.113549.1.1" -> "RSA"
 "Provider.id version" -> "1.8"
 "KeyFactory.RSA" -> "sun.security.rsa.RSAKeyFactory$Legacy"
 "Signature.SHA512withRSA SupportedKeyClasses" -> "java.security.interfaces.RSAPublicKey|java.security.interfaces.RSAPrivateKey"
 "Alg.Alias.KeyPairGenerator.1.2.840.113549.1.1.10" -> "RSASSA-PSS"
 "Signature.MD5withRSA" -> "sun.security.rsa.RSASignature$MD5withRSA"
 "Signature.SHA256withRSA" -> "sun.security.rsa.RSASignature$SHA256withRSA"
 "Signature.SHA512/256withRSA SupportedKeyClasses" -> "java.security.interfaces.RSAPublicKey|java.security.interfaces.RSAPrivateKey"
 "Alg.Alias.KeyFactory.OID.1.2.840.113549.1.1" -> "RSA"
 "KeyPairGenerator.RSASSA-PSS" -> "sun.security.rsa.RSAKeyPairGenerator$PSS"
 "Signature.SHA1withRSA SupportedKeyClasses" -> "java.security.interfaces.RSAPublicKey|java.security.interfaces.RSAPrivateKey"
 "Alg.Alias.Signature.OID.1.2.840.113549.1.1.16" -> "SHA512/256withRSA"
 "Alg.Alias.Signature.OID.1.2.840.113549.1.1.15" -> "SHA512/224withRSA"
 "AlgorithmParameters.RSASSA-PSS" -> "sun.security.rsa.PSSParameters"
 "Alg.Alias.Signature.OID.1.2.840.113549.1.1.14" -> "SHA224withRSA"
 "Alg.Alias.Signature.OID.1.2.840.113549.1.1.13" -> "SHA512withRSA"
 "Alg.Alias.KeyPairGenerator.1.2.840.113549.1.1" -> "RSA"
 "Alg.Alias.Signature.OID.1.2.840.113549.1.1.12" -> "SHA384withRSA"
 "Signature.SHA256withRSA SupportedKeyClasses" -> "java.security.interfaces.RSAPublicKey|java.security.interfaces.RSAPrivateKey"
 "Alg.Alias.Signature.OID.1.2.840.113549.1.1.11" -> "SHA256withRSA"
 "Alg.Alias.Signature.OID.1.2.840.113549.1.1.10" -> "RSASSA-PSS"
 "Signature.SHA512/224withRSA" -> "sun.security.rsa.RSASignature$SHA512_224withRSA"
 "Provider.id info" -> "Sun RSA signature provider"
 "Signature.RSASSA-PSS SupportedKeyClasses" -> "java.security.interfaces.RSAPublicKey|java.security.interfaces.RSAPrivateKey"
 "Alg.Alias.KeyFactory.1.2.840.113549.1.1.10" -> "RSASSA-PSS"
 "Signature.SHA1withRSA" -> "sun.security.rsa.RSASignature$SHA1withRSA"
 "Signature.SHA384withRSA" -> "sun.security.rsa.RSASignature$SHA384withRSA"
 "Alg.Alias.Signature.1.2.840.113549.1.1.16" -> "SHA512/256withRSA"
 "Alg.Alias.Signature.1.2.840.113549.1.1.15" -> "SHA512/224withRSA"
 "Alg.Alias.Signature.1.2.840.113549.1.1.14" -> "SHA224withRSA"
 "Alg.Alias.Signature.1.3.14.3.2.29" -> "SHA1withRSA"
 "Alg.Alias.Signature.1.2.840.113549.1.1.13" -> "SHA512withRSA"
 "Signature.SHA512/224withRSA SupportedKeyClasses" -> "java.security.interfaces.RSAPublicKey|java.security.interfaces.RSAPrivateKey"
 "Alg.Alias.AlgorithmParameters.1.2.840.113549.1.1.10" -> "RSASSA-PSS"
 "Alg.Alias.Signature.1.2.840.113549.1.1.12" -> "SHA384withRSA"
 "Alg.Alias.Signature.1.2.840.113549.1.1.5" -> "SHA1withRSA"
 "Alg.Alias.Signature.1.2.840.113549.1.1.11" -> "SHA256withRSA"
 "Alg.Alias.Signature.1.2.840.113549.1.1.4" -> "MD5withRSA"
 "Provider.id className" -> "sun.security.rsa.SunRsaSign"
 "Alg.Alias.KeyFactory.1.2.840.113549.1.1" -> "RSA"
 "Alg.Alias.Signature.1.2.840.113549.1.1.10" -> "RSASSA-PSS"
 "Signature.SHA384withRSA SupportedKeyClasses" -> "java.security.interfaces.RSAPublicKey|java.security.interfaces.RSAPrivateKey"
 "Alg.Alias.Signature.1.2.840.113549.1.1.2" -> "MD2withRSA"
 "KeyPairGenerator.RSA" -> "sun.security.rsa.RSAKeyPairGenerator$Legacy"
 "Alg.Alias.Signature.OID.1.2.840.113549.1.1.5" -> "SHA1withRSA"
 "Alg.Alias.Signature.OID.1.2.840.113549.1.1.4" -> "MD5withRSA"

サーバー証明書の内容は以下の通りです。署名アルゴリズムが RSASSA-PSS であることに注意してください

Version: 3
         SerialNumber: 2586886443162469273038800222551716765315891225
             IssuerDN: <Issuer DN>
           Start Date: Thu Mar 12 17:57:45 IST 2020
           Final Date: Fri Mar 12 17:57:45 IST 2021
            SubjectDN: <Subject DN>
           Public Key: RSA Public Key
            modulus: 879f18a4f644393d7bdd2047f4ab6888b788403aa5d2c94bec6e4fec6231c0663eec92f24ea6a7d7521915f976c8785d19f60a19a2e9208927465136b69ab7fb1edc9aad4ba3f571c06b224112b5f6e4bf97e2caabd2154e77913dfe1f1e1138c117f50b8c6574196d686abe0111637afe3f18d019e304fc0f0410e367ff92fed1835752a72b300cc245144d844422713bde9bbe29b3675edbc74e03dc2f15ba0d55974d924613a7b911352f6509ada93fe0fafc9ec4a9c529f3758ccd6cfc702b299f1593fd4036e55379591049b3b0c986199b8bdb2330d334c7b8be1b7eabda3061f17d5eec0cfc61ed9710f36deef546436bdb596b47293c81a01866c59b
    public exponent: 10001

  Signature Algorithm: RSASSA-PSS
            Signature: 60622de6b5fcc485657a8b08f85791feb10ad70e
                       6832105575eaf71e91af49d6d4db80140b509741
                       4e4e2ff6b23d8702eba4bf08682546595896e2da
                       aa65cb1d4199c1226408a5055c15bad7dc9c16e9
                       8a5de7a8a11b64eb0a4c673d3ac3fb5146770d16
                       d5bd51b460d8de088c8c164af0e139670b676ec9
                       919f38145c57a0f39e971983c6129f9df1b7be63
                       8066d8897f82a06e066a7ee217ae399e3e4ff249
                       13aee87a75bb036b2296c328f123d2dd8f0f6284
                       e7473783ef6f6ed36849fb69de3a44bbfee9f26c
                       6b7fe9981fa1d123d8c64e1136ac6219a4ed3d54
                       04faa124db2af80564f6f13911b8595eec6768da
                       877943dfe69ded5bb23f40fc79d30d7d
       Extensions:
                       critical(false) 1.3.6.1.4.1.311.20.2 value = BMPString(DomainController)

                       critical(false) 2.5.29.37 value = DER Sequence
    ObjectIdentifier(1.3.6.1.5.5.7.3.2)
    ObjectIdentifier(1.3.6.1.5.5.7.3.1)

                       critical(true) KeyUsage: 0xa0
                       critical(false) 1.2.840.113549.1.9.15 value = DER Sequence
    DER Sequence
        ObjectIdentifier(1.2.840.113549.3.2)
        Integer(128)
    DER Sequence
        ObjectIdentifier(1.2.840.113549.3.4)
        Integer(128)
    DER Sequence
        ObjectIdentifier(2.16.840.1.101.3.4.1.42)
    DER Sequence
        ObjectIdentifier(2.16.840.1.101.3.4.1.45)
    DER Sequence
        ObjectIdentifier(2.16.840.1.101.3.4.1.2)
    DER Sequence
        ObjectIdentifier(2.16.840.1.101.3.4.1.5)
    DER Sequence
        ObjectIdentifier(1.3.14.3.2.7)
    DER Sequence
        ObjectIdentifier(1.2.840.113549.3.7)

                       critical(false) 2.5.29.17 value = DER Sequence
    Tagged [0] IMPLICIT
        DER Sequence
            ObjectIdentifier(1.3.6.1.4.1.311.25.1)
            Tagged [0]
                DER Octet String[16]
    Tagged [2] IMPLICIT
        DER Octet String[18]

                       critical(false) 2.5.29.14 value = DER Octet String[20]

                       critical(false) 2.5.29.35 value = DER Sequence
    Tagged [0] IMPLICIT
        DER Octet String[20]

                       critical(false) 2.5.29.31 value = DER Sequence
    DER Sequence
        Tagged [0]
            Tagged [0]
                Tagged [6] IMPLICIT
                    DER Octet String[186]

                       critical(false) 1.3.6.1.5.5.7.1.1 value = DER Sequence
    DER Sequence
        ObjectIdentifier(1.3.6.1.5.5.7.48.2)
        Tagged [6] IMPLICIT
            DER Octet String[161]

以下のように、java.security と Java の両方でほとんどの署名アルゴリズムを無効にしました。

Security.setProperty("jdk.jar.disabledAlgorithms", "SSLv3, DSA keySize < 1024");
Security.setProperty("jdk.certpath.disabledAlgorithms", "SSLv3, DSA keySize < 1024");
Security.setProperty("jdk.tls.disabledAlgorithms", "SSLv3, DSA keySize < 1024");

ログでは、Security.getProperty("jdk.certpath.disabledAlgorithms") を使用して上記のアルゴリズムを無効にしています

log.debug("jdk.certpath.disabledAlgorithms : " + Security.getProperty("jdk.certpath.disabledAlgorithms"));
log.debug("jdk.jar.disabledAlgorithms : " + Security.getProperty("jdk.jar.disabledAlgorithms"));
log.debug("jdk.tls.disabledAlgorithms : " + Security.getProperty("jdk.tls.disabledAlgorithms"));

Output:
jdk.certpath.disabledAlgorithms : SSLv3, DSA keySize < 1024
jdk.jar.disabledAlgorithms : SSLv3, DSA keySize < 1024
jdk.tls.disabledAlgorithms : SSLv3, DSA keySize < 1024

以下のようにSSLContextを初期化しています

SSLSocketFactory sslFactory = null;
SSLContext sslc = SSLContext.getInstance("TLS");
sslc.init(null, new X509TrustManager[] { new X509TrustManager() {
    public void checkClientTrusted(X509Certificate[] chain,
        String authType) throws CertificateException {.       
            for(X509Certificate cert: chain)
                    log.info(cert.toString());
            }

            public void checkServerTrusted(X509Certificate[] chain,
            String authType) throws CertificateException {            //authType=ECDHE_RSA
                for(X509Certificate cert: chain)
                    log.info(cert.toString());
                return;
            }

            public X509Certificate[] getAcceptedIssuers() {
                return new X509Certificate[0];
            }
    } 
}, new SecureRandom());
sslFactory = sslc.getSocketFactory();

私は暗号に慣れていないので、オンラインリソースを使用して機能させようとしましたが、まだ何かが欠けています. 私が間違っている場所で誰かが私を助けることができますか?

---

アップデート：

カスタムトラストマネージャーをインスタンス化する際に、X509TrustManager の代わりに X509ExtendedTrustManager を使用することを機能させる 1 つの方法。しかし、X509TrustManager の代わりに X509ExtendedTrustManager を使用することの潜在的な脆弱性は何ですか? このリンク/コメントで述べたように、本番環境で使用するのは安全ではありません。