8226374: Restrict TLS signature schemes and named groups

Reviewed-by: mullan
2025-08-28 15:24:43 +02:00 · 2019-08-12 21:36:29 -07:00 · 2019-08-12 21:36:29 -07:00 · 316140ff92
commit 316140ff92
parent de8ce983b3
18 changed files with 810 additions and 626 deletions
--- a/src/java.base/share/classes/sun/security/ssl/CipherSuite.java
+++ b/src/java.base/share/classes/sun/security/ssl/CipherSuite.java
@ -35,8 +35,8 @@ import static sun.security.ssl.CipherSuite.HashAlg.*;
 import static sun.security.ssl.CipherSuite.KeyExchange.*;
 import static sun.security.ssl.CipherSuite.MacAlg.*;
 import static sun.security.ssl.SSLCipher.*;
-import sun.security.ssl.NamedGroup.NamedGroupType;
-import static sun.security.ssl.NamedGroup.NamedGroupType.*;
+import sun.security.ssl.NamedGroup.NamedGroupSpec;
+import static sun.security.ssl.NamedGroup.NamedGroupSpec.*;

 /**
 * Enum for SSL/(D)TLS cipher suites.
@ -1125,12 +1125,12 @@ enum CipherSuite {
        // name of the key exchange algorithm, e.g. DHE_DSS
        final String name;
        final boolean allowed;
-        final NamedGroupType[] groupTypes;
+        final NamedGroupSpec[] groupTypes;
        private final boolean alwaysAvailable;
        private final boolean isAnonymous;

        KeyExchange(String name, boolean allowed,
-                boolean isAnonymous, NamedGroupType... groupTypes) {
+                boolean isAnonymous, NamedGroupSpec... groupTypes) {
            this.name = name;
            this.groupTypes = groupTypes;
            this.allowed = allowed;
@ -1144,8 +1144,8 @@ enum CipherSuite {
                return true;
            }

-            if (NamedGroupType.arrayContains(
-                    groupTypes, NamedGroupType.NAMED_GROUP_ECDHE)) {
+            if (NamedGroupSpec.arrayContains(groupTypes,
+                    NamedGroupSpec.NAMED_GROUP_ECDHE)) {
                return (allowed && JsseJce.isEcAvailable());
            } else {
                return allowed;