RFR [13] JDK-8226374 Restric signature algorithms and named groups

Xuelei Fan xuelei.fan at oracle.com
Mon Jul 8 17:58:04 UTC 2019 

I see your points.  As we can backport to JDK 13 later, it may not 
worthy to rollback to support the "RSASSA-PSS" algorithm restriction 
only in JDK 13.  Applications may also run into problems that need to 
disable particular groups, similar to the RSASSA-PSS algorithm problem. 
Let's solve the problem in one update, and re-target it to JDK 14.

I will file an CSR for JDK 14, and 13 backport if necessary.

Thanks,
Xuelei

On 7/8/2019 10:30 AM, Sean Mullan wrote:
> On 7/8/19 12:30 PM, Xuelei Fan wrote:
>>> - It looks like you have enhanced jdk.tls.disabledAlgorithms to allow 
>>> you to restrict named groups. I think that would make this an RFE, 
>>> which will require a CSR and special approval to get into JDK 13. Do 
>>> you really need this to implement the fix?
>> Named groups is a part of the signature algorithms for TLS 1.3.  For 
>> example for signature algorithm ecdsa_secp256r1_sha256, "secp256r1" is 
>> the named groups part.  It is simple to restrict named groups and 
>> signature algorithm in one update.
> 
> So, for the reported issue in 8226374, with this fix, I can now disable 
> the RSASSA-PSS algorithms by adding the Java Security standard name 
> "RSASSA-PSS" to the jdk.tls.disabledAlgorithms property and it will work 
> on client and server side. This seems consistent, with disabling other 
> signature algorithms like MD5withRSA, SHA1withRSA, etc...
> 
> But now with your fix I can also add "secp256r1" to the 
> jdk.tls.disabledAlgorithms property and (I think) it will disable any 
> algorithm using that curve. I am wondering why you really need this in 
> order to fix the reported issue.
> 
>> We can go as an RFE for JDK 14.  But I would prefer to have it in JDK 
>> 13 so that applications could disable RSASSA-PSS and the certificate 
>> selection could be more robust.
> 
> Can't you still fix the issue w/o needing to disable named groups?
> 
>> As this does not change the public APIs and specs, I think it might be 
>> fine to go with a bug fix for JDK 13 without a CSR.
>>
>>
>>> If not, I would separate that part out and target it to JDK 14. Also, 
>>> why haven't you updated the definition of jdk.tls.disabledAlgorithms 
>>> to include named groups?
>>>
>> The named groups will be documented in the Standard Algorithms 
>> Documentation.  I think it is sufficient.
> 
> Named groups are not yet documented in the Standard Algorithms Doc.
> This was deferred to JDK 14 [1] because it required some changes in the 
> implementation to be fixed first.
> 
>> I'm fine to make it an RFE in JDK 14 if you want a CSR.  We could 
>> backport it later if necessary.
> 
> I am mainly wondering if you can just fix the specific issue in 13 
> (RSSSA-PSS) and add support for disabling named groups later, in JDK 14, 
> since that seems more like an RFE to me and also depends on the standard 
> names being defined for named curves.
> 
> --Sean
> 
> [1] https://bugs.openjdk.java.net/browse/JDK-8210755

More information about the security-dev mailing list