RFR [14] JDK-8226374 Restrict signature algorithms and named groups
Xuelei Fan
xuelei.fan at oracle.com
Sun Jul 28 17:42:32 UTC 2019
On 7/26/2019 7:08 AM, Xuelei Fan wrote:
> New webrev:
> http://cr.openjdk.java.net/~xuelei/8226374/webrev.03/
>
>
>> * src/java.base/share/classes/sun/security/ssl/ECDHServerKeyExchange.java
>>
>> 114 if ((namedGroup == null) || (!namedGroup.isAvailable)) {
>>
>> You don't do this check for null and isAvailable in other places, for
>> example ECDHClientKeyExchange.ECDHEClientKeyExchangeConsumer.consume()
>> - should you?
>>
> Good point! Currently, the restriction is only checked for the
> supported group extension. I should add more check points in other
> places where named groups are used, for example client key exchange and
> certificate. Stay tune for the next webrev.
>
The ECDHClientKeyExchange.ECDHEClientKeyExchangeConsumer.consume()
should be fine as the namedGroup has been checked in the previous steps
(X509Authentication.X509PossessionGenerator.createServerPossession()).
However, I missed the check for certificate. The consumer of
certificate should check the named groups to make sure the supported
named group is used. It was not a problem in the past as the supported
named groups are used to indicate the EC curve or DH group is able to be
handled in both side.
It could be a problem now when we want to restrict named groups. The
named groups used in a certificate should be checked in key manager and
trust manager for TLS 1.2 and prior versions. Similar to the signature
schemes for TLS 1.3. As may required new APIs
(SSLParameters.getPeerSupportedNamedGroups()) for a generic solution.
Would you mind if I file a new RFE and make the improvement in JDK 14 later?
Thanks,
Xuelei
More information about the security-dev
mailing list