RFR [13] JDK-8226374 Restric signature algorithms and named groups

Sean Mullan sean.mullan at oracle.com
Mon Jul 8 17:30:44 UTC 2019

On 7/8/19 12:30 PM, Xuelei Fan wrote:
>> - It looks like you have enhanced jdk.tls.disabledAlgorithms to allow 
>> you to restrict named groups. I think that would make this an RFE, 
>> which will require a CSR and special approval to get into JDK 13. Do 
>> you really need this to implement the fix?
> Named groups is a part of the signature algorithms for TLS 1.3.  For 
> example for signature algorithm ecdsa_secp256r1_sha256, "secp256r1" is 
> the named groups part.  It is simple to restrict named groups and 
> signature algorithm in one update.

So, for the reported issue in 8226374, with this fix, I can now disable 
the RSASSA-PSS algorithms by adding the Java Security standard name 
"RSASSA-PSS" to the jdk.tls.disabledAlgorithms property and it will work 
on client and server side. This seems consistent, with disabling other 
signature algorithms like MD5withRSA, SHA1withRSA, etc...

But now with your fix I can also add "secp256r1" to the 
jdk.tls.disabledAlgorithms property and (I think) it will disable any 
algorithm using that curve. I am wondering why you really need this in 
order to fix the reported issue.

> We can go as an RFE for JDK 14.  But I would prefer to have it in JDK 13 
> so that applications could disable RSASSA-PSS and the certificate 
> selection could be more robust.

Can't you still fix the issue w/o needing to disable named groups?

> As this does not change the public APIs and specs, I think it might be 
> fine to go with a bug fix for JDK 13 without a CSR.
>> If not, I would separate that part out and target it to JDK 14. Also, 
>> why haven't you updated the definition of jdk.tls.disabledAlgorithms 
>> to include named groups?
> The named groups will be documented in the Standard Algorithms 
> Documentation.  I think it is sufficient.

Named groups are not yet documented in the Standard Algorithms Doc.
This was deferred to JDK 14 [1] because it required some changes in the 
implementation to be fixed first.

> I'm fine to make it an RFE in JDK 14 if you want a CSR.  We could 
> backport it later if necessary.

I am mainly wondering if you can just fix the specific issue in 13 
(RSSSA-PSS) and add support for disabling named groups later, in JDK 14, 
since that seems more like an RFE to me and also depends on the standard 
names being defined for named curves.


[1] https://bugs.openjdk.java.net/browse/JDK-8210755

More information about the security-dev mailing list