< prev index next >

src/java.base/share/classes/sun/security/ssl/CertificateRequest.java

Print this page
rev 54061 : 8226374: Restrict TLS signature schemes and named groups
Reviewed-by: mullan


 718                 if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
 719                     SSLLogger.warning("No signature and hash algorithms " +
 720                             "in CertificateRequest");
 721                 }
 722                 return null;
 723             }
 724 
 725             Collection<String> checkedKeyTypes = new HashSet<>();
 726             for (SignatureScheme ss : hc.peerRequestedCertSignSchemes) {
 727                 if (checkedKeyTypes.contains(ss.keyAlgorithm)) {
 728                     if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
 729                         SSLLogger.warning(
 730                             "Unsupported authentication scheme: " + ss.name);
 731                     }
 732                     continue;
 733                 }
 734 
 735                 // Don't select a signature scheme unless we will be able to
 736                 // produce a CertificateVerify message later
 737                 if (SignatureScheme.getPreferableAlgorithm(

 738                         hc.peerRequestedSignatureSchemes,
 739                         ss, hc.negotiatedProtocol) == null) {
 740 
 741                     if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
 742                         SSLLogger.warning(
 743                             "Unable to produce CertificateVerify for " +
 744                             "signature scheme: " + ss.name);
 745                     }
 746                     checkedKeyTypes.add(ss.keyAlgorithm);
 747                     continue;
 748                 }
 749 
 750                 SSLAuthentication ka = X509Authentication.valueOf(ss);
 751                 if (ka == null) {
 752                     if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
 753                         SSLLogger.warning(
 754                             "Unsupported authentication scheme: " + ss.name);
 755                     }
 756                     checkedKeyTypes.add(ss.keyAlgorithm);
 757                     continue;




 718                 if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
 719                     SSLLogger.warning("No signature and hash algorithms " +
 720                             "in CertificateRequest");
 721                 }
 722                 return null;
 723             }
 724 
 725             Collection<String> checkedKeyTypes = new HashSet<>();
 726             for (SignatureScheme ss : hc.peerRequestedCertSignSchemes) {
 727                 if (checkedKeyTypes.contains(ss.keyAlgorithm)) {
 728                     if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
 729                         SSLLogger.warning(
 730                             "Unsupported authentication scheme: " + ss.name);
 731                     }
 732                     continue;
 733                 }
 734 
 735                 // Don't select a signature scheme unless we will be able to
 736                 // produce a CertificateVerify message later
 737                 if (SignatureScheme.getPreferableAlgorithm(
 738                         hc.algorithmConstraints,
 739                         hc.peerRequestedSignatureSchemes,
 740                         ss, hc.negotiatedProtocol) == null) {
 741 
 742                     if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
 743                         SSLLogger.warning(
 744                             "Unable to produce CertificateVerify for " +
 745                             "signature scheme: " + ss.name);
 746                     }
 747                     checkedKeyTypes.add(ss.keyAlgorithm);
 748                     continue;
 749                 }
 750 
 751                 SSLAuthentication ka = X509Authentication.valueOf(ss);
 752                 if (ka == null) {
 753                     if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
 754                         SSLLogger.warning(
 755                             "Unsupported authentication scheme: " + ss.name);
 756                     }
 757                     checkedKeyTypes.add(ss.keyAlgorithm);
 758                     continue;


< prev index next >