RFR CSR: JDK-8254709 (Support for EdDSA signature scheme in JSSE)

Jamil Nimeh jamil.j.nimeh at oracle.com
Wed Oct 21 20:01:44 UTC 2020 

Hi Xuelei, thanks for the comments.  I'll respond in-line:

On 10/21/2020 11:52 AM, Xuelei Fan wrote:
> Hi Jamil,
>
> Sorry for delay.  It took a few days before I was able to read the 
> CSR. Just a few comments for your consideration.
>
> In the specification section, you mentioned how to disable the 
> algorithms. It might not be necessary.  It is just something we need 
> to implement so that it does not break the mechanism.
JN: I was under the impression that where System/Security properties 
have an impact on the feature that we typically make note of it.
>
> I'm not very sure of the order of EdDSA in the signature algorithms. 
> EdDSA and EdDSA certificate are not popular yet.  I'm fine with the 
> order. Would you mind to share your consideration of the preference?

No real consideration.  All I did was remove the explicit disable code 
in SignatureScheme.java:278 - 286.  The ordering in the enumeration then 
shows up in the signature_algorithms[_cert] extensions. Ed* schemes 
could be moved down a bit in the enumeration if we think that will make 
a difference.  I think it would only matter if a server or client had 
both ECC and EdDSA keyed certs that would be up for selection.  There 
are other implementations that do have Ed* signature schemes a little 
further down in their lists.

>
> The list of signature schemes is out of the quote box and hard to 
> read. I may just list one scheme one line in one quote box, like:
>
>     + ed25519
>     + ed448
>       ecdsa_secp256r1_sha256
JN: I could do that.  I was trying to avoid having it be a mile long, 
but if it's not rendering horizontally then I'll change it.  I suppose 
it doesn't have to be the list of all sig schemes.  Just a few lines of 
context on either side of the new signature schemes should drive the 
point home and keep it succinct.
>
> I'm not very sure why EdDSA cannot apply to ServerKeyExchange and 
> CertificateVerify in TLS 1.0 and 1.1. ServerKeyExchange and 
> CertificateVerify is used to authenticate the server or the client's 
> possession of the private key of the cert.  So if EdDSA cannot be used 
> for them, the EdDSA certificate should not be selected for TLS 1.0/1.1 
> as well.  I did not read the RFC fully yet, it looks like that EdDSA 
> can be used for TLS 1.0/1.1 ServerKeyExchange and CertificateVerify as 
> well.  I may miss something.
JN: So far I have yet to find a server implementation that will accept a 
1.0/1.1 client hello with no signature_algorithms extension and not 
barf.  This of course assumes that the server only has EdDSA keyed TLS 
certificates.  As I mentioned to you on the side, if it's RSA/DSA/ECC 
and has an EdDSA signature, then things work great.  To be fair, I 
haven't experimented with anything other than my modified JSSE and 
OpenSSL so far.
>
> Hope it helps.
>
> Xuelei
>
> On 10/13/2020 10:59 AM, Jamil Nimeh wrote:
>> Hi Folks,
>>
>> I just put out the draft CSR for the RFE that adds EdDSA support in 
>> JSSE.  If anyone has some spare cycles to review this I'd appreciate it.
>>
>> https://bugs.openjdk.java.net/browse/JDK-8254709
>>
>> Thanks,
>>
>> --Jamil
>>

More information about the security-dev mailing list