RFR [14] JDK-8226374 Restrict signature algorithms and named groups

Sean Mullan sean.mullan at oracle.com
Thu Jul 25 18:36:37 UTC 2019

On 7/25/19 11:45 AM, Xuelei Fan wrote:
> I updated the CSR and webrev per the review comments accordingly.
> webrev: http://cr.openjdk.java.net/~xuelei/8226374/webrev.02/

Not done reviewing yet, but here are a couple of comments so far:

* test/jdk/sun/security/ssl/CipherSuite/RestrictNamedGroup.java

   96             } catch (Exception exp) {
   97                 continue;
   98             }

Can you check for an expected exception here? Same comment on lines 
111-113 of RestrictSignatureScheme.java

* src/java.base/share/classes/sun/security/ssl/ECDHServerKeyExchange.java

114             if ((namedGroup == null) || (!namedGroup.isAvailable)) {

You don't do this check for null and isAvailable in other places, for 
example ECDHClientKeyExchange.ECDHEClientKeyExchangeConsumer.consume() - 
should you?

> CSR:    https://bugs.openjdk.java.net/browse/JDK-8227445

In the CSR, the Notes 1-3 are very similar. I only think you need to 
mention that the names will be standardized in a subsequent CSR - and 
maybe you can point or add a link to the issue that has been filed for 
that. I don't think you need the other 2 notes.


> Thanks,
> Xuelei
> On 7/12/2019 9:14 AM, Xuelei Fan wrote:
>> On 7/12/2019 5:24 AM, Sean Mullan wrote:
>>> On 7/11/19 11:56 AM, Xuelei Fan wrote:
>>>>> Also, in the CSR you list all the different signature algorithms 
>>>>> that could be disabled, but you use the TLS names, and not the 
>>>>> standard JCE names. I found this a bit confusing, since if you 
>>>>> added those exact TLS names to jdk.tls.disabledAlgorithms, I don't 
>>>>> think it will work, or if it does we need additional changes to the 
>>>>> jdk.tls.disabledAlgorithms definition - and maybe that is what we 
>>>>> should do?  Also, I don't think it is possible to disable 
>>>>> individual RSASSA-PSS algorithms, I think you can just disable all 
>>>>> or none of them because the parameters are specified separately and 
>>>>> not part of the standard JCE name. Similar to other algorithms - 
>>>>> how would I just disable ecdsa_secp256r1_sha256 and nothing else? 
>>>>> Is that an issue?
>>>> Yes, it is an issue now.  The AlgorithmConstraints is able to accept 
>>>> parameters, but the current jdk.tls.disabledAlgorithms property 
>>>> cannot. That's also why I used the TLS names 
>>>> (ecdsa_secp256r1_sha256, rsa_pss_rsae_sha256, etc) rather than 
>>>> standard names (SHA256withECDSA, RSASSA-PSS).
>>>> I agree with you that it is confusing.  The use of 
>>>> rsa_pss_rsae_sha256 may be fine, but the name "dsa_sha256" rather 
>>>> then "SHA256withDSA" could be confusing.
>>>> I was planned to add TLS signature algorithms into the standard 
>>>> names, as we will do for the named groups.  But it looks like a 
>>>> duplicate of the crypto Signature algorithms.
>>> I would lean towards this option. We could extend the 
>>> jdk.tls.disabledAlgorithms property to allow you to specify TLS 
>>> signature schemes as defined in 
>>> https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-signaturescheme 
>>> We would also need to add a section to the Standard Names 
>>> specification listing these schemes.
>>> The reason I like this option is because it fits well with the TLS 
>>> namespace, and it is more flexible than the JCE names and we can more 
>>> easily restrict new TLS signature schemes that are defined later.
>> I agreed that is is more straightforward.  Okay, let's go with option.
>> Between file a new enhancement for Standard Names documentation or 
>> update the doc this time, do you have a preference?  Maybe, we can 
>> update the doc together with JDKJDK-8210755?
>>     https://bugs.openjdk.java.net/browse/JDK-8210755
>> Thanks,
>> Xuelei

More information about the security-dev mailing list