Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8226374

Restrict TLS signature schemes and named groups

    Details

    • Subcomponent:
    • Resolved In Build:
      b10
    • CPU:
      x86_64
    • OS:
      windows_7

      Backports

        Description

        A DESCRIPTION OF THE PROBLEM :
        We are trying to disable RSASSA-PSS, because it is not supported in the JCE PKCS11 wrapper, and causes errors when setting up TLS1.2 errors.
        It is possible to do this using jdk.tls.disabledAlgorithms with RSASSA-PSS, if this is done on both sides (client & server).
        But if this is done only on the client side, which means the server still gives RSASSA-PSS as one of the options in it's CertificateRequest message, the client will still choose RSASSA-PSS and fail.

        I think the core of the problem lies within the CertificateVerify.T12CertificateVerifyMessage constructor, which selects the signature algorithm as follows:
                    this.signatureScheme = SignatureScheme.getPreferableAlgorithm(
                            chc.peerRequestedSignatureSchemes,
                            x509Possession.popPrivateKey,
                            chc.negotiatedProtocol);

        chc.peerRequestedSignatureSchemes holds -all- algorithms sent by the server in it's CertificateRequest message. Disabled algorithms are not filtered out.
        The getPreferableAlgorithm method also does not consider disabled algorithms.


        STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
        Set up TLS 1.2 client with jdk.tls.disabledAlgorithms with RSASSA-PSS
        Set up TLS 1.2 server which does not have RSASSA-PSS disabled
        Connect the client to the server.



        FREQUENCY : always


          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  xuelei Xue-Lei Fan
                  Reporter:
                  webbuggrp Webbug Group
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  5 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: