8233228: Disable weak named curves by default in TLS, CertPath, and Signed JAR

Reviewed-by: mullan, xuelei, weijun

src/java.base/share/classes/sun/security/tools/keytool/Main.java

@@ -4654,7 +4654,7 @@ public final class Main {
                     rb.getString("whose.key.risk"),
                     label,
                     String.format(rb.getString("key.bit"),
-                            KeyUtil.getKeySize(key), key.getAlgorithm())));
+                            KeyUtil.getKeySize(key), fullDisplayAlgName(key))));
         }
     }
 

src/java.base/share/classes/sun/security/util/AbstractAlgorithmConstraints.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2015, 2016, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2015, 2019, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -29,6 +29,10 @@ import java.security.AccessController;
 import java.security.AlgorithmConstraints;
 import java.security.PrivilegedAction;
 import java.security.Security;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.List;
 import java.util.Set;
 
 /**
@@ -44,7 +48,7 @@ public abstract class AbstractAlgorithmConstraints
     }
 
     // Get algorithm constraints from the specified security property.
-    static String[] getAlgorithms(String propertyName) {
+    static List<String> getAlgorithms(String propertyName) {
         String property = AccessController.doPrivileged(
                 new PrivilegedAction<String>() {
                     @Override
@@ -68,12 +72,12 @@ public abstract class AbstractAlgorithmConstraints
 
         // map the disabled algorithms
         if (algorithmsInProperty == null) {
-            algorithmsInProperty = new String[0];
+            return Collections.emptyList();
         }
-        return algorithmsInProperty;
+        return new ArrayList<>(Arrays.asList(algorithmsInProperty));
     }
 
-    static boolean checkAlgorithm(String[] algorithms, String algorithm,
+    static boolean checkAlgorithm(List<String> algorithms, String algorithm,
             AlgorithmDecomposer decomposer) {
         if (algorithm == null || algorithm.isEmpty()) {
             throw new IllegalArgumentException("No algorithm name specified");

src/java.base/share/classes/sun/security/util/ConstraintsParameters.java

@@ -31,6 +31,9 @@ import java.security.AlgorithmParameters;
 import java.security.Key;
 import java.security.Timestamp;
 import java.security.cert.X509Certificate;
+import java.security.interfaces.ECKey;
+import java.security.interfaces.XECKey;
+import java.security.spec.NamedParameterSpec;
 import java.util.Date;
 
 /**
@@ -49,8 +52,8 @@ public class ConstraintsParameters {
     private final String algorithm;
     // AlgorithmParameters to the algorithm being checked
     private final AlgorithmParameters algParams;
-    // Public Key being checked against constraints
+    // Key being checked against constraints
-    private final Key publicKey;
+    private final Key key;
 
     /*
      * New values that are checked against constraints that the current public
@@ -66,6 +69,9 @@ public class ConstraintsParameters {
     // Timestamp of the signed JAR file
     private final Timestamp jarTimestamp;
     private final String variant;
+    // Named Curve
+    private final String[] curveStr;
+    private static final String[] EMPTYLIST = new String[0];
 
     public ConstraintsParameters(X509Certificate c, boolean match,
             Date pkixdate, Timestamp jarTime, String variant) {
@@ -76,14 +82,20 @@ public class ConstraintsParameters {
         this.variant = (variant == null ? Validator.VAR_GENERIC : variant);
         algorithm = null;
         algParams = null;
-        publicKey = null;
+        key = null;
+        if (c != null) {
+            curveStr = getNamedCurveFromKey(c.getPublicKey());
+        } else {
+            curveStr = EMPTYLIST;
+        }
     }
 
     public ConstraintsParameters(String algorithm, AlgorithmParameters params,
             Key key, String variant) {
         this.algorithm = algorithm;
         algParams = params;
-        this.publicKey = key;
+        this.key = key;
+        curveStr = getNamedCurveFromKey(key);
         cert = null;
         trustedMatch = false;
         pkixDate = null;
@@ -109,9 +121,10 @@ public class ConstraintsParameters {
         return algParams;
     }
 
-    public Key getPublicKey() {
+    public Key getKey() {
-        return publicKey;
+        return key;
     }
+
     // Returns if the trust anchor has a match if anchor checking is enabled.
     public boolean isTrustedMatch() {
         return trustedMatch;
@@ -132,4 +145,47 @@ public class ConstraintsParameters {
     public String getVariant() {
         return variant;
     }
+
+    public String[] getNamedCurve() {
+        return curveStr;
+    }
+
+    public static String[] getNamedCurveFromKey(Key key) {
+        if (key instanceof ECKey) {
+            NamedCurve nc = CurveDB.lookup(((ECKey)key).getParams());
+            return (nc == null ? EMPTYLIST : CurveDB.getNamesByOID(nc.getObjectId()));
+        } else if (key instanceof XECKey) {
+            String[] s = {
+                    ((NamedParameterSpec)((XECKey)key).getParams()).getName()
+            };
+            return s;
+        } else {
+            return EMPTYLIST;
+        }
+    }
+
+    public String toString() {
+        StringBuilder s = new StringBuilder();
+        s.append("Cert:       ");
+        if (cert != null) {
+            s.append(cert.toString());
+            s.append("\nSigAlgo:    ");
+            s.append(cert.getSigAlgName());
+        } else {
+            s.append("None");
+        }
+        s.append("\nAlgParams:  ");
+        if (getAlgParams() != null) {
+            getAlgParams().toString();
+        } else {
+            s.append("None");
+        }
+        s.append("\nNamedCurves: ");
+        for (String c : getNamedCurve()) {
+            s.append(c + " ");
+        }
+        s.append("\nVariant:    " + getVariant());
+        return s.toString();
+    }
+
 }

src/java.base/share/classes/sun/security/util/CurveDB.java

@@ -154,8 +154,27 @@ public class CurveDB {
         }
     }
 
+    private static class Holder {
+        private static final Pattern nameSplitPattern = Pattern.compile(
+                SPLIT_PATTERN);
+    }
+
+    // Return all the names the EC curve could be using.
+    static String[] getNamesByOID(String oid) {
+        NamedCurve nc = oidMap.get(oid);
+        if (nc == null) {
+            return new String[0];
+        }
+        String[] list = Holder.nameSplitPattern.split(nc.getName());
+        int i = 0;
+        do {
+            list[i] = list[i].trim();
+        } while (++i < list.length);
+        return list;
+    }
+
     static {
-        Pattern nameSplitPattern = Pattern.compile(SPLIT_PATTERN);
+        Pattern nameSplitPattern = Holder.nameSplitPattern;
 
         /* SEC2 prime curves */
         add("secp112r1", "1.3.132.0.6", P,

src/java.base/share/classes/sun/security/util/DisabledAlgorithmConstraints.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010, 2017, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2010, 2019, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -27,8 +27,6 @@ package sun.security.util;
 
 import sun.security.validator.Validator;
 
-import java.io.ByteArrayOutputStream;
-import java.io.PrintStream;
 import java.security.CryptoPrimitive;
 import java.security.AlgorithmParameters;
 import java.security.Key;
@@ -37,6 +35,7 @@ import java.security.cert.CertPathValidatorException.BasicReason;
 import java.security.cert.X509Certificate;
 import java.text.SimpleDateFormat;
 import java.util.ArrayList;
+import java.util.Arrays;
 import java.util.Calendar;
 import java.util.Date;
 import java.util.HashMap;
@@ -60,19 +59,23 @@ import java.util.regex.Matcher;
 public class DisabledAlgorithmConstraints extends AbstractAlgorithmConstraints {
     private static final Debug debug = Debug.getInstance("certpath");
 
-    // the known security property, jdk.certpath.disabledAlgorithms
+    // Disabled algorithm security property for certificate path
     public static final String PROPERTY_CERTPATH_DISABLED_ALGS =
             "jdk.certpath.disabledAlgorithms";
 
-    // the known security property, jdk.tls.disabledAlgorithms
+    // Disabled algorithm security property for TLS
     public static final String PROPERTY_TLS_DISABLED_ALGS =
             "jdk.tls.disabledAlgorithms";
 
-    // the known security property, jdk.jar.disabledAlgorithms
+    // Disabled algorithm security property for jar
     public static final String PROPERTY_JAR_DISABLED_ALGS =
             "jdk.jar.disabledAlgorithms";
 
-    private final String[] disabledAlgorithms;
+    // Property for disabled EC named curves
+    private static final String PROPERTY_DISABLED_EC_CURVES =
+            "jdk.disabled.namedCurves";
+
+    private final List<String> disabledAlgorithms;
     private final Constraints algorithmConstraints;
 
     /**
@@ -97,6 +100,24 @@ public class DisabledAlgorithmConstraints extends AbstractAlgorithmConstraints {
             AlgorithmDecomposer decomposer) {
         super(decomposer);
         disabledAlgorithms = getAlgorithms(propertyName);
+
+        // Check for alias
+        int ecindex = -1, i = 0;
+        for (String s : disabledAlgorithms) {
+            if (s.regionMatches(true, 0,"include ", 0, 8)) {
+                if (s.regionMatches(true, 8, PROPERTY_DISABLED_EC_CURVES, 0,
+                        PROPERTY_DISABLED_EC_CURVES.length())) {
+                    ecindex = i;
+                    break;
+                }
+            }
+            i++;
+        }
+        if (ecindex > -1) {
+            disabledAlgorithms.remove(ecindex);
+            disabledAlgorithms.addAll(ecindex,
+                    getAlgorithms(PROPERTY_DISABLED_EC_CURVES));
+        }
         algorithmConstraints = new Constraints(disabledAlgorithms);
     }
 
@@ -164,6 +185,19 @@ public class DisabledAlgorithmConstraints extends AbstractAlgorithmConstraints {
 
     public final void permits(String algorithm, ConstraintsParameters cp)
             throws CertPathValidatorException {
+
+        // Check if named curves in the ConstraintParameters are disabled.
+        if (cp.getNamedCurve() != null) {
+            for (String curve : cp.getNamedCurve()) {
+                if (!checkAlgorithm(disabledAlgorithms, curve, decomposer)) {
+                    throw new CertPathValidatorException(
+                            "Algorithm constraints check failed on disabled " +
+                                    "algorithm: " + curve,
+                            null, null, -1, BasicReason.ALGORITHM_CONSTRAINED);
+                }
+            }
+        }
+
         algorithmConstraints.permits(algorithm, cp);
     }
 
@@ -199,6 +233,13 @@ public class DisabledAlgorithmConstraints extends AbstractAlgorithmConstraints {
             return false;
         }
 
+        // If this is an elliptic curve, check disabled the named curve.
+        for (String curve : ConstraintsParameters.getNamedCurveFromKey(key)) {
+            if (!permits(primitives, curve, null)) {
+                return false;
+            }
+        }
+
         // check the key constraints
         return algorithmConstraints.permits(key);
     }
@@ -230,7 +271,7 @@ public class DisabledAlgorithmConstraints extends AbstractAlgorithmConstraints {
                     "denyAfter\\s+(\\d{4})-(\\d{2})-(\\d{2})");
         }
 
-        public Constraints(String[] constraintArray) {
+        public Constraints(List<String> constraintArray) {
             for (String constraintEntry : constraintArray) {
                 if (constraintEntry == null || constraintEntry.isEmpty()) {
                     continue;
@@ -257,7 +298,9 @@ public class DisabledAlgorithmConstraints extends AbstractAlgorithmConstraints {
                     constraintsMap.putIfAbsent(alias, constraintList);
                 }
 
-                if (space <= 0) {
+                // If there is no whitespace, it is a algorithm name; however,
+                // if there is a whitespace, could be a multi-word EC curve too.
+                if (space <= 0 || CurveDB.lookup(constraintEntry) != null) {
                     constraintList.add(new DisabledConstraint(algorithm));
                     continue;
                 }
@@ -356,7 +399,7 @@ public class DisabledAlgorithmConstraints extends AbstractAlgorithmConstraints {
             for (Constraint constraint : list) {
                 if (!constraint.permits(key)) {
                     if (debug != null) {
-                        debug.println("keySizeConstraint: failed key " +
+                        debug.println("Constraints: failed key size" +
                                 "constraint check " + KeyUtil.getKeySize(key));
                     }
                     return false;
@@ -375,7 +418,7 @@ public class DisabledAlgorithmConstraints extends AbstractAlgorithmConstraints {
             for (Constraint constraint : list) {
                 if (!constraint.permits(aps)) {
                     if (debug != null) {
-                        debug.println("keySizeConstraint: failed algorithm " +
+                        debug.println("Constraints: failed algorithm " +
                                 "parameters constraint check " + aps);
                     }
 
@@ -392,8 +435,7 @@ public class DisabledAlgorithmConstraints extends AbstractAlgorithmConstraints {
             X509Certificate cert = cp.getCertificate();
 
             if (debug != null) {
-                debug.println("Constraints.permits(): " + algorithm +
+                debug.println("Constraints.permits(): " + cp.toString());
-                        " Variant: " + cp.getVariant());
             }
 
             // Get all signature algorithms to check for constraints
@@ -406,8 +448,8 @@ public class DisabledAlgorithmConstraints extends AbstractAlgorithmConstraints {
             if (cert != null) {
                 algorithms.add(cert.getPublicKey().getAlgorithm());
             }
-            if (cp.getPublicKey() != null) {
+            if (cp.getKey() != null) {
-                algorithms.add(cp.getPublicKey().getAlgorithm());
+                algorithms.add(cp.getKey().getAlgorithm());
             }
             // Check all applicable constraints
             for (String alg : algorithms) {
@@ -546,10 +588,7 @@ public class DisabledAlgorithmConstraints extends AbstractAlgorithmConstraints {
          * the constraint denies the operation.
          */
         boolean next(Key key) {
-            if (nextConstraint != null && nextConstraint.permits(key)) {
+            return nextConstraint != null && nextConstraint.permits(key);
-                return true;
-            }
-            return false;
         }
 
         String extendedMsg(ConstraintsParameters cp) {
@@ -799,8 +838,8 @@ public class DisabledAlgorithmConstraints extends AbstractAlgorithmConstraints {
         public void permits(ConstraintsParameters cp)
                 throws CertPathValidatorException {
             Key key = null;
-            if (cp.getPublicKey() != null) {
+            if (cp.getKey() != null) {
-                key = cp.getPublicKey();
+                key = cp.getKey();
             } else if (cp.getCertificate() != null) {
                 key = cp.getCertificate().getPublicKey();
             }

src/java.base/share/classes/sun/security/util/LegacyAlgorithmConstraints.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2015, 2016, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2015, 2019, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -28,8 +28,8 @@ package sun.security.util;
 import java.security.AlgorithmParameters;
 import java.security.CryptoPrimitive;
 import java.security.Key;
+import java.util.List;
 import java.util.Set;
-import static sun.security.util.AbstractAlgorithmConstraints.getAlgorithms;
 
 /**
  * Algorithm constraints for legacy algorithms.
@@ -40,7 +40,7 @@ public class LegacyAlgorithmConstraints extends AbstractAlgorithmConstraints {
     public static final String PROPERTY_TLS_LEGACY_ALGS =
             "jdk.tls.legacyAlgorithms";
 
-    private final String[] legacyAlgorithms;
+    private final List<String> legacyAlgorithms;
 
     public LegacyAlgorithmConstraints(String propertyName,
             AlgorithmDecomposer decomposer) {

src/java.base/share/conf/security/java.security

@@ -501,6 +501,22 @@ sun.security.krb5.disableReferrals=false
 # be overwritten with a System property (-Dsun.security.krb5.maxReferrals).
 sun.security.krb5.maxReferrals=5
 
+#
+# This property contains a list of disabled EC Named Curves that can be included
+# in the jdk.[tls|certpath|jar].disabledAlgorithms properties.  To include this
+# list in any of the disabledAlgorithms properties, add the property name as
+# an entry.
+jdk.disabled.namedCurves = secp112r1, secp112r2, secp128r1, secp128r2, \
+    secp160k1, secp160r1, secp160r2, secp192k1, secp192r1, secp224k1, \
+    secp224r1, secp256k1, sect113r1, sect113r2, sect131r1, sect131r2, \
+    sect163k1, sect163r1, sect163r2, sect193r1, sect193r2, sect233k1, \
+    sect233r1, sect239k1, sect283k1, sect283r1, sect409k1, sect409r1, \
+    sect571k1, sect571r1, X9.62 c2tnb191v1, X9.62 c2tnb191v2, \
+    X9.62 c2tnb191v3, X9.62 c2tnb239v1, X9.62 c2tnb239v2, X9.62 c2tnb239v3, \
+    X9.62 c2tnb359v1, X9.62 c2tnb431r1, X9.62 prime192v2, X9.62 prime192v3, \
+    X9.62 prime239v1, X9.62 prime239v2, X9.62 prime239v3, brainpoolP256r1, \
+    brainpoolP320r1, brainpoolP384r1, brainpoolP512r1
+
 #
 # Algorithm restrictions for certification path (CertPath) processing
 #
@@ -515,7 +531,7 @@ sun.security.krb5.maxReferrals=5
 #       " DisabledAlgorithm { , DisabledAlgorithm } "
 #
 #   DisabledAlgorithm:
-#       AlgorithmName [Constraint] { '&' Constraint }
+#       AlgorithmName [Constraint] { '&' Constraint } | IncludeProperty
 #
 #   AlgorithmName:
 #       (see below)
@@ -542,6 +558,9 @@ sun.security.krb5.maxReferrals=5
 #   UsageConstraint:
 #       usage [TLSServer] [TLSClient] [SignedJAR]
 #
+#   IncludeProperty:
+#       include <security property>
+#
 # The "AlgorithmName" is the standard algorithm name of the disabled
 # algorithm. See the Java Security Standard Algorithm Names Specification
 # for information about Standard Algorithm Names.  Matching is
@@ -554,6 +573,14 @@ sun.security.krb5.maxReferrals=5
 # that rely on DSA, such as NONEwithDSA, SHA1withDSA.  However, the assertion
 # will not disable algorithms related to "ECDSA".
 #
+# The "IncludeProperty" allows a implementation-defined security property that
+# can be included in the disabledAlgorithms properties.  These properties are
+# to help manage common actions easier across multiple disabledAlgorithm
+# properties.
+# There is one defined security property:  jdk.disabled.NamedCurves
+# See the property for more specific details.
+#
+#
 # A "Constraint" defines restrictions on the keys and/or certificates for
 # a specified AlgorithmName:
 #
@@ -626,7 +653,8 @@ sun.security.krb5.maxReferrals=5
 #
 #
 jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, \
-    RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224
+    RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224, \
+    include jdk.disabled.namedCurves
 
 #
 # Algorithm restrictions for signed JAR files
@@ -670,7 +698,7 @@ jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, \
 # See "jdk.certpath.disabledAlgorithms" for syntax descriptions.
 #
 jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \
-      DSA keySize < 1024
+      DSA keySize < 1024, include jdk.disabled.namedCurves
 
 #
 # Algorithm restrictions for Secure Socket Layer/Transport Layer Security
@@ -705,7 +733,8 @@ jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \
 #   jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048, \
 #       rsa_pkcs1_sha1, secp224r1
 jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \
-    EC keySize < 224, 3DES_EDE_CBC, anon, NULL
+    EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
+    include jdk.disabled.namedCurves
 
 #
 # Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)