Gateway Signature Issue for client certificate
Article ID: 188113
Updated On:
Products
Issue/Introduction
The customer is having a strange issue with a specific certificate chain
According to OpenSSL this is a valid chain:
>> openssl verify -partial_chain -trusted inter.pem leaf.pem
leaf.pem:OK
However, according to the API Gateway the signatures do not match with this error:
Unable to build path for Certificate : unable to find valid certification path to requested target;related error(s) [Signature does not match.]
Is it possible that the API Gateway is not supporting the Signature algorithm.
For the leaf certificate this is:
- rsassaPss
- Hash Algorithm: sha512
- Mask Algorithm: mgf1 with sha51
The actual comes from the SSG logs. We have tried we the entire chain in the truststore as trust anchor.
Of course, for it to work, you have to make some changes:
- switch to an IDP that exists on your environment
- add the inter.pem as a trustanchor that can sign client certificates
- create a user with the leaf.pem as certificate
- change the Authenticate User step to your local IDP and the user you created
Environment
Release : 9.4
Component : API GATEWAY
Resolution
JDK 8 u241 has introduced support for PKCS#11 v2.40 which supports RSASSA-PSS algorithm.
The solution was to upgrade the JDK to jdk1.8u241 as the signature algorithm RSASSA-PSS(which was used in the client certificate) is not supported on older JDKs. JDK 8 u241 has introduced support for PKCS#11 v2.40 which supports RSASSA-PSS algorithm
Please check the link below for more documentation for the same ->
https://bugs.java.com/bugdatabase/view_bug.do?bug_id=JDK-8080462
Feedback
