archive/jdk
1
0
Fork 0
mirror of https://github.com/openjdk/jdk.git synced 2025-08-28 15:24:43 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

8226374: Restrict TLS signature schemes and named groups

Browse source 
Reviewed-by: mullan
This commit is contained in:
Xue-Lei Andrew Fan 2019-08-12 21:36:29 -07:00
parent de8ce983b3
commit 316140ff92
18 changed files with 810 additions and 626 deletions
Download patch file Download diff file Expand all files Collapse all files

17
src/java.base/share/classes/sun/security/ssl/ECDHServerKeyExchange.java
View file

@ -38,6 +38,7 @@ import java.security.Signature;
import java.security.SignatureException;
import java.text.MessageFormat;
import java.util.Locale;
import sun.security.ssl.NamedGroup.NamedGroupSpec;
import sun.security.ssl.SSLHandshake.HandshakeMessage;
import sun.security.ssl.SupportedGroupsExtension.SupportedGroups;
import sun.security.ssl.X509Authentication.X509Credentials;
@ -110,13 +111,18 @@ final class ECDHServerKeyExchange {
// Find the NamedGroup used for the ephemeral keys.
namedGroup = namedGroupPossession.getNamedGroup();
publicPoint = namedGroup.encodePossessionPublicKey(
namedGroupPossession);
if ((namedGroup == null) || (namedGroup.oid == null) ) {
if ((namedGroup == null) || (!namedGroup.isAvailable)) {
// unlikely
throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Missing Named Group");
"Missing or improper named group: " + namedGroup);
}
publicPoint = namedGroup.encodePossessionPublicKey(
namedGroupPossession);
if (publicPoint == null) {
// unlikely
throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Missing public point for named group: " + namedGroup);
}
if (x509Possession == null) {
@ -130,6 +136,7 @@ final class ECDHServerKeyExchange {
Signature signer = null;
if (useExplicitSigAlgorithm) {
signatureScheme = SignatureScheme.getPreferableAlgorithm(
shc.algorithmConstraints,
shc.peerRequestedSignatureSchemes,
x509Possession,
shc.negotiatedProtocol);