8341964: Add mechanism to disable different parts of TLS cipher suite

Reviewed-by: mullan, ascarpino
2025-08-27 14:54:52 +02:00 · 2024-11-14 17:44:13 +00:00 · 2024-11-14 17:44:13 +00:00 · 697f27c5d5
commit 697f27c5d5
parent 002b985a46
6 changed files with 521 additions and 269 deletions
--- a/src/java.base/share/classes/sun/security/util/DisabledAlgorithmConstraints.java
+++ b/src/java.base/share/classes/sun/security/util/DisabledAlgorithmConstraints.java
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010, 2022, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2010, 2024, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@ -42,21 +42,21 @@ import java.security.spec.NamedParameterSpec;
 import java.security.spec.PSSParameterSpec;
 import java.time.DateTimeException;
 import java.time.Instant;
-import java.time.ZonedDateTime;
 import java.time.ZoneId;
+import java.time.ZonedDateTime;
 import java.util.ArrayList;
 import java.util.Arrays;
+import java.util.Collection;
 import java.util.HashMap;
 import java.util.HashSet;
 import java.util.List;
 import java.util.Locale;
 import java.util.Map;
 import java.util.Set;
-import java.util.Collection;
 import java.util.StringTokenizer;
 import java.util.concurrent.ConcurrentHashMap;
-import java.util.regex.Pattern;
 import java.util.regex.Matcher;
+import java.util.regex.Pattern;

 /**
 * Algorithm constraints for disabled algorithms property
@ -101,6 +101,7 @@ public class DisabledAlgorithmConstraints extends AbstractAlgorithmConstraints {
    }

    private final Set<String> disabledAlgorithms;
+    private final List<Pattern> disabledPatterns;
    private final Constraints algorithmConstraints;
    private volatile SoftReference<Map<String, Boolean>> cacheRef =
            new SoftReference<>(null);
@ -136,6 +137,13 @@ public class DisabledAlgorithmConstraints extends AbstractAlgorithmConstraints {
        super(decomposer);
        disabledAlgorithms = getAlgorithms(propertyName);

+        // Support patterns only for jdk.tls.disabledAlgorithms
+        if (PROPERTY_TLS_DISABLED_ALGS.equals(propertyName)) {
+            disabledPatterns = getDisabledPatterns();
+        } else {
+            disabledPatterns = null;
+        }
+
        // Check for alias
        for (String s : disabledAlgorithms) {
            Matcher matcher = INCLUDE_PATTERN.matcher(s);
@ -967,11 +975,48 @@ public class DisabledAlgorithmConstraints extends AbstractAlgorithmConstraints {
        if (result != null) {
            return result;
        }
-        result = checkAlgorithm(disabledAlgorithms, algorithm, decomposer);
+        // We won't check patterns if algorithm check fails.
+        result = checkAlgorithm(disabledAlgorithms, algorithm, decomposer)
+                && checkDisabledPatterns(algorithm);
        cache.put(algorithm, result);
        return result;
    }

+    private boolean checkDisabledPatterns(final String algorithm) {
+        return disabledPatterns == null || disabledPatterns.stream().noneMatch(
+                p -> p.matcher(algorithm).matches());
+    }
+
+    private List<Pattern> getDisabledPatterns() {
+        List<Pattern> ret = null;
+        List<String> patternStrings = new ArrayList<>(4);
+
+        for (String p : disabledAlgorithms) {
+            if (p.contains("*")) {
+                if (!p.startsWith("TLS_")) {
+                    throw new IllegalArgumentException(
+                            "Wildcard pattern must start with \"TLS_\"");
+                }
+                patternStrings.add(p);
+            }
+        }
+
+        if (!patternStrings.isEmpty()) {
+            ret = new ArrayList<>(patternStrings.size());
+
+            for (String p : patternStrings) {
+                // Exclude patterns from algorithm code flow.
+                disabledAlgorithms.remove(p);
+
+                // Ignore all regex characters but asterisk.
+                ret.add(Pattern.compile(
+                        "^\\Q" + p.replace("*", "\\E.*\\Q") + "\\E$"));
+            }
+        }
+
+        return ret;
+    }
+
    /*
     * This constraint is used for the complete disabling of the algorithm.
     */
--- a/src/java.base/share/conf/security/java.security
+++ b/src/java.base/share/conf/security/java.security
@ -729,7 +729,11 @@ http.auth.digest.disabledAlgorithms = MD5, SHA-1
 # This is in addition to the jdk.certpath.disabledAlgorithms property above.
 #
 # See the specification of "jdk.certpath.disabledAlgorithms" for the
-# syntax of the disabled algorithm string.
+# syntax of the disabled algorithm string. Additionally, TLS cipher suites
+# can be disabled with this property using one or more "*" wildcard characters.
+# For example, "TLS_RSA_*" disables all cipher suites that start with
+# "TLS_RSA_". Only cipher suites starting with "TLS_" are allowed to have
+# wildcard characters.
 #
 # Note: The algorithm restrictions do not apply to trust anchors or
 # self-signed certificates.
@ -739,7 +743,7 @@ http.auth.digest.disabledAlgorithms = MD5, SHA-1
 #
 # Example:
 #   jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048, \
-#       rsa_pkcs1_sha1, secp224r1
+#       rsa_pkcs1_sha1, secp224r1, TLS_RSA_*
 jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, DTLSv1.0, RC4, DES, \
    MD5withRSA, DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
    ECDH