RFR [13] JDK-8226374 Restric signature algorithms and named groups

Sean Mullan sean.mullan at oracle.com
Mon Jul 8 15:45:32 UTC 2019


A couple of comments/question so far (not done reviewing)

- Please change all instances of "Restric" to "Restrict" (proper 
spelling) in the bug summary and names of tests, etc

- It looks like you have enhanced jdk.tls.disabledAlgorithms to allow 
you to restrict named groups. I think that would make this an RFE, which 
will require a CSR and special approval to get into JDK 13. Do you 
really need this to implement the fix? If not, I would separate that 
part out and target it to JDK 14. Also, why haven't you updated the 
definition of jdk.tls.disabledAlgorithms to include named groups?

Thanks,
Sean

On 7/7/19 11:00 PM, Xuelei Fan wrote:
> ping ...
> 
> On 6/28/2019 1:41 PM, Xuelei Fan wrote:
>> Hi,
>>
>> Could I get the following update reviewed?
>>      http://cr.openjdk.java.net/~xuelei/8226374/webrev.00/
>>
>> During handshaking, the selection of signature algorithms was not 
>> checked with the algorithm constraints.  Then the available signature 
>> algorithms may be ignored if a restricted algorithm get selected.  The 
>> connection should be able to be established as there are available 
>> algorithms.
>>
>> Within this update, more algorithm constraints checking are introduced 
>> in the signature algorithms and named groups code.
>>
>> The significant changes are in NamedGroup.java and 
>> SignatureScheme.java, in order to introduce the checking and algorithm 
>> parameters and specs.
>>
>> Thanks,
>> Xuelei


More information about the security-dev mailing list