mirror of
https://github.com/openjdk/jdk.git
synced 2025-08-28 07:14:30 +02:00
8268199: Correct certificate requests
Reviewed-by: xuelei, ahgross, rhalade
This commit is contained in:
parent
44ce867314
commit
f2c5728a86
1 changed files with 26 additions and 3 deletions
|
@ -31,6 +31,7 @@ import java.security.PrivateKey;
|
|||
import java.security.cert.X509Certificate;
|
||||
import java.text.MessageFormat;
|
||||
import java.util.ArrayList;
|
||||
import java.util.Arrays;
|
||||
import java.util.Collection;
|
||||
import java.util.Collections;
|
||||
import java.util.HashSet;
|
||||
|
@ -729,7 +730,7 @@ final class CertificateRequest {
|
|||
// the SSLPossession. Instead, the choosePossession method
|
||||
// will use the accepted signature schemes in the message to
|
||||
// determine the set of acceptable certificate types to select from.
|
||||
SSLPossession pos = choosePossession(chc);
|
||||
SSLPossession pos = choosePossession(chc, crm);
|
||||
if (pos == null) {
|
||||
return;
|
||||
}
|
||||
|
@ -739,8 +740,8 @@ final class CertificateRequest {
|
|||
SSLHandshake.CERTIFICATE_VERIFY);
|
||||
}
|
||||
|
||||
private static SSLPossession choosePossession(HandshakeContext hc)
|
||||
throws IOException {
|
||||
private static SSLPossession choosePossession(HandshakeContext hc,
|
||||
T12CertificateRequestMessage crm) throws IOException {
|
||||
if (hc.peerRequestedCertSignSchemes == null ||
|
||||
hc.peerRequestedCertSignSchemes.isEmpty()) {
|
||||
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
|
||||
|
@ -750,6 +751,15 @@ final class CertificateRequest {
|
|||
return null;
|
||||
}
|
||||
|
||||
// Put the CR key type into a more friendly format for searching
|
||||
List<String> crKeyTypes = new ArrayList<>(
|
||||
Arrays.asList(crm.getKeyTypes()));
|
||||
// For TLS 1.2 only if RSA is a requested key type then we
|
||||
// should also allow RSASSA-PSS.
|
||||
if (crKeyTypes.contains("RSA")) {
|
||||
crKeyTypes.add("RSASSA-PSS");
|
||||
}
|
||||
|
||||
Collection<String> checkedKeyTypes = new HashSet<>();
|
||||
List<String> supportedKeyTypes = new ArrayList<>();
|
||||
for (SignatureScheme ss : hc.peerRequestedCertSignSchemes) {
|
||||
|
@ -784,6 +794,19 @@ final class CertificateRequest {
|
|||
"Unsupported authentication scheme: " + ss.name);
|
||||
}
|
||||
continue;
|
||||
} else {
|
||||
// Any auth object will have a set of allowed key types.
|
||||
// This set should share at least one common algorithm with
|
||||
// the CR's allowed key types.
|
||||
if (Collections.disjoint(crKeyTypes,
|
||||
Arrays.asList(ka.keyTypes))) {
|
||||
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
|
||||
SSLLogger.warning(
|
||||
"Unsupported authentication scheme: " +
|
||||
ss.name);
|
||||
}
|
||||
continue;
|
||||
}
|
||||
}
|
||||
supportedKeyTypes.add(ss.keyAlgorithm);
|
||||
}
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue