Details

Type: CSR

Status: Closed

Priority: P3

Resolution: Approved

Fix Version/s: 13pool

Component/s: securitylibs

Labels:None

Subcomponent:

Compatibility Kind:behavioral

Compatibility Risk:minimal

Interface Kind:System or security property

Scope:JDK
Description
Summary
Support signature schemes and named groups restriction in the TLS implementation. No changes from JDK 14, CSR JDK8227445
Problem
Signature schemes and named groups are essential security parameters of TLS connections. Some of them are weak, and some of them are too new to be supported in some circumstances. Applications may want to restrict them.
Note that the JCE signature algorithms can currently be restricted, but it is at a lower layer and are not always sufficient to restrict specific TLS signature schemes which use a different namespace.
In the future, the implementation may be requested to backport to previous JDK releases, for example JDK 11 or JDK 8.
Solution
Support signature schemes and named groups restriction in the TLS implementation with algorithm constraints. Algorithm constraints can be configured with the SSLParameters.setAlgorithmConstraints(AlgorithmConstraints)
method or the security property "jdk.tls.disabledAlgorithms".
In the TLS specification, signature schemes are used to customize signature algorithms of TLS connections as defined in https://www.iana.org/assignments/tlsparameters/tlsparameters.xhtml#tlssignaturescheme. With this update, signature schemes can be restricted in the TLS implementation in the JDK. The following is a list of JDK supported signature schemes:
 EdDSA algorithms
 ed25519
 ed448
 ECDSA algorithms
 ecdsa_secp256r1_sha256
 ecdsa_secp384r1_sha384
 ecdsa_secp521r1_sha512
 RSASSAPSS algorithms with public key OID rsaEncryption
 rsa_pss_rsae_sha256
 rsa_pss_rsae_sha384
 rsa_pss_rsae_sha512
 RSASSAPSS algorithms with public key OID RSASSAPSS
 rsa_pss_pss_sha256
 rsa_pss_pss_sha384
 rsa_pss_pss_sha512
 RSASSAPKCS1v1_5 algorithms
 rsa_pkcs1_sha256
 rsa_pkcs1_sha384
 rsa_pkcs1_sha512
For TLS 1.2 and previous versions, signature schemes are defined as a pair of signature algorithms ( https://www.iana.org/assignments/tlsparameters/tlsparameters.xhtml#tlsparameters16) and hash algorithms ( https://www.iana.org/assignments/tlsparameters/tlsparameters.xhtml#tlsparameters18). In the JDK implementation, the signature schemes are named as "signatureAlgorithmhashAlgorithm". For example, "ecdsa_sha224" means the signature algorithm is ECDSA and the hash algorithm is SHA224. TLS 1.3 protocol does not use this naming convention any more. With this update, signature schemes can be restricted in the TLS implementation in the JDK. The following is a list of JDK supported signature schemes, which are being deprecated per TLS 1.3 protocol:
 Legacy signature schemes for TLS 1.2 and previous versions
 dsa_sha256
 ecdsa_sha224
 rsa_sha224
 dsa_sha224
 ecdsa_sha1
 rsa_pkcs1_sha1
 dsa_sha1
 rsa_md5
In the TLS specification, named groups are used to customize key exchange algorithms of TLS connections as defined in https://www.iana.org/assignments/tlsparameters/tlsparameters.xhtml#tlsparameters8. With this update, named groups can be restricted in the TLS implementation in the JDK. The following is a list of JDK supported named groups:
 NIST defined Elliptic curves (RFC 4492)
 sect163k1
 sect163r1
 sect163r2
 sect193r1
 sect193r2
 sect233k1
 sect233r1
 sect239k1
 sect283k1
 sect283r1
 sect409k1
 sect409r1
 sect571k1
 sect571r1
 secp160k1
 secp160r1
 secp160r2
 secp192k1
 secp192r1
 secp224k1
 secp224r1
 secp256k1
 secp256r1
 secp384r1
 secp521r1
 x25519 and x448 (RFC 8422/8446)
 x25519
 x448
 Finite Field DiffieHellman Ephemeral Parameters (RFC 7919)
 ffdhe2048
 ffdhe3072
 ffdhe4096
 ffdhe6144
 ffdhe8192
Note that the signature schemes and group names are not standardized yet. A subsequent CSR will be filed for the standardization (See JDK8210755).
Specification
Update the Security Property "jdk.tls.disabledAlgorithms" specification by adding signature schemes and named groups restrictions.
#
# Algorithm restrictions for Secure Socket Layer/Transport Layer Security
# (SSL/TLS/DTLS) processing
#
# In some environments, certain algorithms or key lengths may be undesirable
# when using SSL/TLS/DTLS. This section describes the mechanism for disabling
# algorithms during SSL/TLS/DTLS security parameters negotiation, including
 # protocol version negotiation, cipher suites selection, peer authentication
 # and key exchange mechanisms.
+ # protocol version negotiation, cipher suites selection, named groups
+ # selection, signature schemes selection, peer authentication and key
+ # exchange mechanisms.
#
# Disabled algorithms will not be negotiated for SSL/TLS connections, even
# if they are enabled explicitly in an application.
#
# For PKIbased peer authentication and key exchange mechanisms, this list
# of disabled algorithms will also be checked during certification path
# building and validation, including algorithms used in certificates, as
# well as revocation information such as CRLs and signed OCSP Responses.
# This is in addition to the jdk.certpath.disabledAlgorithms property above.
#
# See the specification of "jdk.certpath.disabledAlgorithms" for the
# syntax of the disabled algorithm string.
#
# Note: The algorithm restrictions do not apply to trust anchors or
# selfsigned certificates.
#
# Note: This property is currently used by the JDK Reference implementation.
# It is not guaranteed to be examined and used by other implementations.
#
# Example:
 # jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
+ # jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048, \
+ # rsa_pkcs1_sha256, secp224r1
jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \
EC keySize < 224, 3DES_EDE_CBC, anon, NULL
Attachments
Issue Links
 csr of

JDK8256334 Restrict TLS signature schemes and named groups
 Resolved

JDK8256561 Restrict TLS signature schemes and named groups
 Resolved