Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8211866

TLS 1.3 CertificateRequest message sometimes offers disallowed signature algorithms

    Details

    • Subcomponent:
    • Resolved In Build:
      b16
    • Verification:
      Not verified

      Backports

        Description

        When an SSLSocket or SSLEngine is created and not forced to do only TLS 1.3, even after the TLS 1.3 protocol has been agreed upon there are algorithms in the CertificateRequest message (specifically the signature_algorithms extension) that are disallowed (see RFC 8446, sec 4.2.3 near the end).

        A sample CR message sent by a server that will negotiate any TLS version, but has negotiated TLS 1.3 looks like this:

        javax.net.ssl|DEBUG|0A|pool-1-thread-1|2018-10-06 23:29:58.515 PDT|CertificateRequest.java:859|Produced CertificateRequest message (
        "CertificateRequest": {
          "certificate_request_context": "",
          "extensions": [
            "signature_algorithms (13)": {
              "signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp512r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha224, rsa_sha224, dsa_sha224, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1]
            },
            "signature_algorithms_cert (50)": {
              "signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp512r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha224, rsa_sha224, dsa_sha224, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1]
            }
          ]
        }

        Note the DSA and SHA-224 based algorithms in both the signature_algorithms and signature_algorithms_cert extensions.

        If, however, the SSLSocket/Engine is created such that only TLS 1.3 is an allowed protocol, then the signature algorithms do not contain these disallowed schemes:

        javax.net.ssl|DEBUG|0A|pool-1-thread-1|2018-10-06 23:46:44.999 PDT|CertificateRequest.java:859|Produced CertificateRequest message (
        "CertificateRequest": {
          "certificate_request_context": "",
          "extensions": [
            "signature_algorithms (13)": {
              "signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp512r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, ecdsa_sha1, rsa_pkcs1_sha1]
            },
            "signature_algorithms_cert (50)": {
              "signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp512r1_sha512, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, ecdsa_sha1, rsa_pkcs1_sha1]
            }
          ]
        }



          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  jnimeh Jamil Nimeh
                  Reporter:
                  jnimeh Jamil Nimeh
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  3 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: