archive/jdk
1
0
Fork 0
mirror of https://github.com/openjdk/jdk.git synced 2025-08-28 07:14:30 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

8226374: Restrict TLS signature schemes and named groups

Browse source 
Reviewed-by: mullan
This commit is contained in:
Xue-Lei Andrew Fan 2019-08-12 21:36:29 -07:00
parent de8ce983b3
commit 316140ff92
18 changed files with 810 additions and 626 deletions
Download patch file Download diff file Expand all files Collapse all files

32
src/java.base/share/classes/sun/security/ssl/ECDHKeyExchange.java
View file

@ -36,7 +36,6 @@ import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.SecureRandom;
import java.security.interfaces.ECPublicKey;
import java.security.spec.ECGenParameterSpec;
import java.security.spec.ECParameterSpec;
import java.security.spec.ECPoint;
import java.security.spec.ECPublicKeySpec;
@ -44,7 +43,7 @@ import java.util.EnumSet;
import javax.crypto.KeyAgreement;
import javax.crypto.SecretKey;
import javax.net.ssl.SSLHandshakeException;
import sun.security.ssl.NamedGroup.NamedGroupType;
import sun.security.ssl.NamedGroup.NamedGroupSpec;
import sun.security.ssl.SupportedGroupsExtension.SupportedGroups;
import sun.security.ssl.X509Authentication.X509Credentials;
import sun.security.ssl.X509Authentication.X509Possession;
@ -88,7 +87,7 @@ final class ECDHKeyExchange {
static ECDHECredentials valueOf(NamedGroup namedGroup,
byte[] encodedPoint) throws IOException, GeneralSecurityException {
if (namedGroup.type != NamedGroupType.NAMED_GROUP_ECDHE) {
if (namedGroup.spec != NamedGroupSpec.NAMED_GROUP_ECDHE) {
throw new RuntimeException(
"Credentials decoding: Not ECDHE named group");
}
@ -98,11 +97,7 @@ final class ECDHKeyExchange {
}
ECParameterSpec parameters =
ECUtil.getECParameterSpec(null, namedGroup.oid);
if (parameters == null) {
return null;
}
(ECParameterSpec)namedGroup.keAlgParamSpec;
ECPoint point = ECUtil.decodePoint(
encodedPoint, parameters.getCurve());
KeyFactory factory = KeyFactory.getInstance("EC");
@ -120,9 +115,7 @@ final class ECDHKeyExchange {
ECDHEPossession(NamedGroup namedGroup, SecureRandom random) {
try {
KeyPairGenerator kpg = KeyPairGenerator.getInstance("EC");
ECGenParameterSpec params =
(ECGenParameterSpec)namedGroup.getParameterSpec();
kpg.initialize(params, random);
kpg.initialize(namedGroup.keAlgParamSpec, random);
KeyPair kp = kpg.generateKeyPair();
privateKey = kp.getPrivate();
publicKey = (ECPublicKey)kp.getPublic();
@ -248,17 +241,17 @@ final class ECDHKeyExchange {
preferableNamedGroup = SupportedGroups.getPreferredGroup(
context.negotiatedProtocol,
context.algorithmConstraints,
new NamedGroupType[] {
NamedGroupType.NAMED_GROUP_ECDHE,
NamedGroupType.NAMED_GROUP_XDH },
new NamedGroupSpec[] {
NamedGroupSpec.NAMED_GROUP_ECDHE,
NamedGroupSpec.NAMED_GROUP_XDH },
context.clientRequestedNamedGroups);
} else {
preferableNamedGroup = SupportedGroups.getPreferredGroup(
context.negotiatedProtocol,
context.algorithmConstraints,
new NamedGroupType[] {
NamedGroupType.NAMED_GROUP_ECDHE,
NamedGroupType.NAMED_GROUP_XDH });
new NamedGroupSpec[] {
NamedGroupSpec.NAMED_GROUP_ECDHE,
NamedGroupSpec.NAMED_GROUP_XDH });
}
if (preferableNamedGroup != null) {
@ -308,7 +301,8 @@ final class ECDHKeyExchange {
NamedGroup ng = NamedGroup.valueOf(params);
if (ng == null) {
// unlikely, have been checked during cipher suite negotiation.
// unlikely, have been checked during cipher suite
// negotiation.
throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Unsupported EC server cert for ECDH key exchange");
}
@ -480,7 +474,7 @@ final class ECDHKeyExchange {
}
String alg;
switch (namedGroup.type) {
switch (namedGroup.spec) {
case NAMED_GROUP_ECDHE:
alg = "ECDH";
break;