RFR [13] JDK-8226374 Restric signature algorithms and named groups
Sean Mullan
sean.mullan at oracle.com
Mon Jul 8 15:45:32 UTC 2019
A couple of comments/question so far (not done reviewing)
- Please change all instances of "Restric" to "Restrict" (proper
spelling) in the bug summary and names of tests, etc
- It looks like you have enhanced jdk.tls.disabledAlgorithms to allow
you to restrict named groups. I think that would make this an RFE, which
will require a CSR and special approval to get into JDK 13. Do you
really need this to implement the fix? If not, I would separate that
part out and target it to JDK 14. Also, why haven't you updated the
definition of jdk.tls.disabledAlgorithms to include named groups?
Thanks,
Sean
On 7/7/19 11:00 PM, Xuelei Fan wrote:
> ping ...
>
> On 6/28/2019 1:41 PM, Xuelei Fan wrote:
>> Hi,
>>
>> Could I get the following update reviewed?
>> http://cr.openjdk.java.net/~xuelei/8226374/webrev.00/
>>
>> During handshaking, the selection of signature algorithms was not
>> checked with the algorithm constraints. Then the available signature
>> algorithms may be ignored if a restricted algorithm get selected. The
>> connection should be able to be established as there are available
>> algorithms.
>>
>> Within this update, more algorithm constraints checking are introduced
>> in the signature algorithms and named groups code.
>>
>> The significant changes are in NamedGroup.java and
>> SignatureScheme.java, in order to introduce the checking and algorithm
>> parameters and specs.
>>
>> Thanks,
>> Xuelei
More information about the security-dev
mailing list