[14] RFR: 8233228: Support named curves for all disabledAlgorithms
Weijun Wang
weijun.wang at oracle.com
Thu Nov 28 02:28:30 UTC 2019
More on this.
I've tried using keytool to generate an EC keypair with -groupname contained in "jdk.certpath.disabledAlgorithms". It can print out a warning with the following extra code change. Feel free to include it if it looks OK to you.
diff --git a/src/java.base/share/classes/sun/security/tools/keytool/Main.java b/src/java.base/share/classes/sun/security/tools/keytool/Main.java
--- a/src/java.base/share/classes/sun/security/tools/keytool/Main.java
+++ b/src/java.base/share/classes/sun/security/tools/keytool/Main.java
@@ -4658,7 +4658,7 @@
rb.getString("whose.key.risk"),
label,
String.format(rb.getString("key.bit"),
- KeyUtil.getKeySize(key), key.getAlgorithm())));
+ KeyUtil.getKeySize(key), fullDisplayAlgName(key))));
}
}
diff --git a/src/java.base/share/classes/sun/security/util/DisabledAlgorithmConstraints.java b/src/java.base/share/classes/sun/security/util/DisabledAlgorithmConstraints.java
--- a/src/java.base/share/classes/sun/security/util/DisabledAlgorithmConstraints.java
+++ b/src/java.base/share/classes/sun/security/util/DisabledAlgorithmConstraints.java
@@ -34,6 +34,7 @@
import java.security.cert.CertPathValidatorException;
import java.security.cert.CertPathValidatorException.BasicReason;
import java.security.cert.X509Certificate;
+import java.security.interfaces.ECKey;
import java.security.spec.ECParameterSpec;
import java.text.SimpleDateFormat;
import java.util.ArrayList;
@@ -401,6 +402,17 @@
// Check if KeySizeConstraints permit the specified key
public boolean permits(Key key) {
+ if (key instanceof ECKey) {
+ String groupname = CurveDB.lookup(((ECKey)key).getParams())
+ .getName().toUpperCase(Locale.ROOT);
+ if (getConstraints(groupname) != null) {
+ if (debug != null) {
+ debug.println("Constraints: failed group name " +
+ "constraint check " + groupname);
+ }
+ return false;
+ }
+ }
List<Constraint> list = getConstraints(key.getAlgorithm());
if (list == null) {
return true;
BTW, my previous suggestion on ConstraintsParameters(...,Key,...) is unrelated. It is used in AlgorithmCheck.java.
Thanks,
Max
> On Nov 28, 2019, at 9:26 AM, Weijun Wang <weijun.wang at oracle.com> wrote:
>
> In ConstraintsParameters.java:
>
> You added curveStr assignment in the ConstraintsParameters(X509Certificate,...). Is it also necessary to do the same in the next constructor ConstraintsParameters(...,Key,...)? You can get curve name from the key.
>
> Also, now that a key has a parameter that needs to checked, in the following public method in DisabledAlgorithmConstraints.java
>
> public boolean permits(Key key) {
> List<Constraint> list = getConstraints(key.getAlgorithm());
> if (list == null) {
> return true;
> }
> for (Constraint constraint : list) {
> if (!constraint.permits(key)) {
> if (debug != null) {
> debug.println("Constraints: failed key size" +
> "constraint check " + KeyUtil.getKeySize(key));
> }
> return false;
> }
> }
> return true;
> }
>
> should getConstraints() be called on both the algorithm name and the group name?
>
> Thanks,
> Max
>
>
>
>> On Nov 20, 2019, at 3:44 AM, Anthony Scarpino <anthony.scarpino at oracle.com> wrote:
>>
>> I need a review of a disabled algorithms code change that allows EC curve names to be disabled for all the disabledAlgorithm properties.
>>
>> https://cr.openjdk.java.net/~ascarpino/8233228/webrev/
>>
>> Tony
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20191128/4a34a7b9/attachment.htm>
More information about the security-dev
mailing list