archive/jdk
1
0
Fork 0
mirror of https://github.com/openjdk/jdk.git synced 2025-08-26 22:34:27 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

8185292: Stricter key generation

Browse source 
Reviewed-by: mullan
This commit is contained in:
Adam Petcher 2017-10-24 09:58:27 -04:00
parent bb586d9974
commit 91a1005273
7 changed files with 52 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

23
src/java.base/share/classes/com/sun/crypto/provider/DHKeyAgreement.java
View file

@ -1,5 +1,5 @@
/*
* Copyright (c) 1997, 2013, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -28,11 +28,13 @@ package com.sun.crypto.provider;
import java.util.*;
import java.lang.*;
import java.math.BigInteger;
import java.security.AccessController;
import java.security.InvalidAlgorithmParameterException;
import java.security.InvalidKeyException;
import java.security.Key;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.security.PrivilegedAction;
import java.security.ProviderException;
import java.security.spec.AlgorithmParameterSpec;
import java.security.spec.InvalidKeySpecException;
@ -60,6 +62,17 @@ extends KeyAgreementSpi {
private BigInteger x = BigInteger.ZERO; // the private value
private BigInteger y = BigInteger.ZERO;
private static class AllowKDF {
private static final boolean VALUE = getValue();
private static boolean getValue() {
return AccessController.doPrivileged(
(PrivilegedAction<Boolean>)
() -> Boolean.getBoolean("jdk.crypto.KeyAgreement.legacyKDF"));
}
}
/**
* Empty constructor
*/
@ -367,6 +380,14 @@ extends KeyAgreementSpi {
if (algorithm == null) {
throw new NoSuchAlgorithmException("null algorithm");
}
if (!algorithm.equalsIgnoreCase("TlsPremasterSecret") &&
!AllowKDF.VALUE) {
throw new NoSuchAlgorithmException("Unsupported secret key "
+ "algorithm: " + algorithm);
}
byte[] secret = engineGenerateSecret();
if (algorithm.equalsIgnoreCase("DES")) {
// DES