Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8178728

Check the AlgorithmParameters in algorithm constraints

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: P3
    • Resolution: Fixed
    • Affects Version/s: 6
    • Fix Version/s: 10
    • Component/s: security-libs
    • Labels:
      None

      Backports

        Description

        The DisabledAlgorithmConstraints.permits() does not consider the impact of AlgorithmParameters.

        107 public final boolean permits(Set<CryptoPrimitive> primitives,
        108 String algorithm, AlgorithmParameters parameters) {
        109 return checkAlgorithm(disabledAlgorithms, algorithm, decomposer);
        110 }

        The 'parameters' argument is not used here. However, the parameters may contains security information (for example key sizes, DSA, DH, RSA parameters).

        TLS implementation depends on this method to check the validity of a AlgorithmParameters. For example, in the FFDHE implementation, it is needed to check whether a DH group (DHE parameter) is available or not. If parameters checking is ignore in the constraints checking, unavailable/disabled DH groups may be requested and negotiated for a TLS/DTLS handshaking, and then the handshaking fails because the negotiated key is disabled by the constraints.

        Adding the following lines to test/sun/security/ssl/DHKeyExchange/UseStrongDHSizes.java can be used as regression test.

         * @run main/othervm UseStrongDHSizes 3072
         * @run main/othervm UseStrongDHSizes 4096
         * @run main/othervm UseStrongDHSizes 6144

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  xuelei Xue-Lei Fan
                  Reporter:
                  xuelei Xue-Lei Fan
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  4 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: