RFR [13] JDK-8225766 : Curve in certificate should not affect signature scheme when using TLSv1.3
Xuelei Fan
xuelei.fan at oracle.com
Thu Jun 20 04:47:14 UTC 2019
On 6/19/2019 8:17 PM, Anthony Scarpino wrote:
> On 6/19/19 5:02 PM, Xuelei Fan wrote:
>> Hi,
>>
>> Could I get the following update reviewed?
>>
>> http://cr.openjdk.java.net/~xuelei/8225766/webrev.01/
>>
>> For TLS 1.2 and prior versions, the public key of a EC cert MUST use a
>> curve and point format supported by the client. But in TLS 1.3,
>> signature algorithms are negotiated independently via the
>> "signature_algorithms" extension. The JDK implementation does not
>> comply to this behavior changes in TLS 1.3.
>>
>> There is a corner case that the signature algorithm "ecdsa_sha1" does
>> not define the related curves. If the key uses an unsupported curves,
>> the peer cannot verify the signature. In this fix, a countermeasure
>> is introduced to mitigate the impact by checking that the curve used
>> for "ecdsa_sha1" is local supported.
>>
>> Please read the code for more details.
>>
>> Thanks,
>> Xuelei
>
> The code looks fine.. Just one nit in the comment that looks like you
> lost control of your fingers :-)
>
> X509Authentication.java
> 332 // independently via the "signature_algoriarethms" extension.
>
Oops, not sure how could it happen like this. I will correct it.
Thanks,
Xuelei
More information about the security-dev
mailing list