archive/jdk
1
0
Fork 0
mirror of https://github.com/openjdk/jdk.git synced 2025-08-27 23:04:50 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

8288209: SSL debug message wrong about unsupported authentication scheme

Browse source 
Reviewed-by: djelinski, jnimeh
This commit is contained in:
Weijun Wang 2022-06-21 14:33:03 +00:00
parent 0f801fe6fd
commit 19017358b1
5 changed files with 49 additions and 97 deletions
Download patch file Download diff file Expand all files Collapse all files

54
src/java.base/share/classes/sun/security/ssl/CertificateMessage.java
View file

@ -1,5 +1,5 @@
/*
* Copyright (c) 2015, 2021, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2015, 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -1042,46 +1042,22 @@ final class CertificateMessage {
return null;
}
Collection<String> checkedKeyTypes = new HashSet<>();
List<String> supportedKeyTypes = new ArrayList<>();
for (SignatureScheme ss : hc.peerRequestedCertSignSchemes) {
if (checkedKeyTypes.contains(ss.keyAlgorithm)) {
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
SSLLogger.warning(
"Unsupported authentication scheme: " + ss.name);
}
continue;
}
checkedKeyTypes.add(ss.keyAlgorithm);
// Don't select a signature scheme unless we will be able to
// produce a CertificateVerify message later
if (SignatureScheme.getPreferableAlgorithm(
hc.algorithmConstraints,
hc.peerRequestedSignatureSchemes,
ss, hc.negotiatedProtocol) == null) {
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
SSLLogger.warning(
"Unable to produce CertificateVerify for " +
"signature scheme: " + ss.name);
}
continue;
}
X509Authentication ka = X509Authentication.valueOf(ss);
if (ka == null) {
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
SSLLogger.warning(
"Unsupported authentication scheme: " + ss.name);
}
continue;
}
supportedKeyTypes.add(ss.keyAlgorithm);
}
String[] supportedKeyTypes = hc.peerRequestedCertSignSchemes
.stream()
.map(ss -> ss.keyAlgorithm)
.distinct()
.filter(ka -> SignatureScheme.getPreferableAlgorithm( // Don't select a signature scheme unless
hc.algorithmConstraints, // we will be able to produce
hc.peerRequestedSignatureSchemes, // a CertificateVerify message later
ka, hc.negotiatedProtocol) != null
|| SSLLogger.logWarning("ssl,handshake",
"Unable to produce CertificateVerify for key algorithm: " + ka))
.filter(ka -> X509Authentication.valueOfKeyAlgorithm(ka) != null
|| SSLLogger.logWarning("ssl,handshake", "Unsupported key algorithm: " + ka))
.toArray(String[]::new);
SSLPossession pos = X509Authentication
.createPossession(hc, supportedKeyTypes.toArray(String[]::new));
.createPossession(hc, supportedKeyTypes);
if (pos == null) {
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
SSLLogger.warning("No available authentication scheme");

73
src/java.base/share/classes/sun/security/ssl/CertificateRequest.java
View file

@ -32,9 +32,7 @@ import java.security.cert.X509Certificate;
import java.text.MessageFormat;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashSet;
import java.util.LinkedList;
import java.util.List;
import java.util.Locale;
@ -760,59 +758,28 @@ final class CertificateRequest {
crKeyTypes.add("RSASSA-PSS");
}
Collection<String> checkedKeyTypes = new HashSet<>();
List<String> supportedKeyTypes = new ArrayList<>();
for (SignatureScheme ss : hc.peerRequestedCertSignSchemes) {
if (checkedKeyTypes.contains(ss.keyAlgorithm)) {
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
SSLLogger.warning(
"Unsupported authentication scheme: " + ss.name);
}
continue;
}
checkedKeyTypes.add(ss.keyAlgorithm);
// Don't select a signature scheme unless we will be able to
// produce a CertificateVerify message later
if (SignatureScheme.getPreferableAlgorithm(
hc.algorithmConstraints,
hc.peerRequestedSignatureSchemes,
ss, hc.negotiatedProtocol) == null) {
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
SSLLogger.warning(
"Unable to produce CertificateVerify for " +
"signature scheme: " + ss.name);
}
continue;
}
X509Authentication ka = X509Authentication.valueOf(ss);
if (ka == null) {
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
SSLLogger.warning(
"Unsupported authentication scheme: " + ss.name);
}
continue;
} else {
// Any auth object will have a set of allowed key types.
// This set should share at least one common algorithm with
// the CR's allowed key types.
if (Collections.disjoint(crKeyTypes,
Arrays.asList(ka.keyTypes))) {
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
SSLLogger.warning(
"Unsupported authentication scheme: " +
ss.name);
}
continue;
}
}
supportedKeyTypes.add(ss.keyAlgorithm);
}
String[] supportedKeyTypes = hc.peerRequestedCertSignSchemes
.stream()
.map(ss -> ss.keyAlgorithm)
.distinct()
.filter(ka -> SignatureScheme.getPreferableAlgorithm( // Don't select a signature scheme unless
hc.algorithmConstraints, // we will be able to produce
hc.peerRequestedSignatureSchemes, // a CertificateVerify message later
ka, hc.negotiatedProtocol) != null
|| SSLLogger.logWarning("ssl,handshake",
"Unable to produce CertificateVerify for key algorithm: " + ka))
.filter(ka -> {
var xa = X509Authentication.valueOfKeyAlgorithm(ka);
// Any auth object will have a set of allowed key types.
// This set should share at least one common algorithm with
// the CR's allowed key types.
return xa != null && !Collections.disjoint(crKeyTypes, Arrays.asList(xa.keyTypes))
|| SSLLogger.logWarning("ssl,handshake", "Unsupported key algorithm: " + ka);
})
.toArray(String[]::new);
SSLPossession pos = X509Authentication
.createPossession(hc, supportedKeyTypes.toArray(String[]::new));
.createPossession(hc, supportedKeyTypes);
if (pos == null) {
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
SSLLogger.warning("No available authentication scheme");

9
src/java.base/share/classes/sun/security/ssl/SSLLogger.java
View file

@ -207,6 +207,15 @@ public final class SSLLogger {
}
}
// Logs a warning message and always returns false. This method
// can be used as an OR Predicate to add a log in a stream filter.
public static boolean logWarning(String option, String s) {
if (SSLLogger.isOn && SSLLogger.isOn(option)) {
SSLLogger.warning(s);
}
return false;
}
private static class SSLConsoleLogger implements Logger {
private final String loggerName;
private final boolean useCompactFormat;

4
src/java.base/share/classes/sun/security/ssl/SignatureScheme.java
View file

@ -450,13 +450,13 @@ enum SignatureScheme {
static SignatureScheme getPreferableAlgorithm(
AlgorithmConstraints constraints,
List<SignatureScheme> schemes,
SignatureScheme certScheme,
String keyAlgorithm,
ProtocolVersion version) {
for (SignatureScheme ss : schemes) {
if (ss.isAvailable &&
ss.handshakeSupportedProtocols.contains(version) &&
certScheme.keyAlgorithm.equalsIgnoreCase(ss.keyAlgorithm) &&
keyAlgorithm.equalsIgnoreCase(ss.keyAlgorithm) &&
ss.isPermitted(constraints)) {
return ss;
}

6
src/java.base/share/classes/sun/security/ssl/X509Authentication.java
View file

@ -1,5 +1,5 @@
/*
* Copyright (c) 2018, 2021, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2018, 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -72,9 +72,9 @@ enum X509Authentication implements SSLAuthentication {
this.keyTypes = keyTypes;
}
static X509Authentication valueOf(SignatureScheme signatureScheme) {
static X509Authentication valueOfKeyAlgorithm(String keyAlgorithm) {
for (X509Authentication au : X509Authentication.values()) {
if (au.keyAlgorithm.equals(signatureScheme.keyAlgorithm)) {
if (au.keyAlgorithm.equals(keyAlgorithm)) {
return au;
}
}