< prev index next >
src/java.base/share/classes/sun/security/ssl/HandshakeContext.java
Print this page
rev 54061 : 8226374: Restrict TLS signature schemes and named groups
Reviewed-by: mullan
@@ -44,12 +44,12 @@
import java.util.Queue;
import javax.crypto.SecretKey;
import javax.net.ssl.SNIServerName;
import javax.net.ssl.SSLHandshakeException;
import javax.security.auth.x500.X500Principal;
-import sun.security.ssl.NamedGroup.NamedGroupType;
-import static sun.security.ssl.NamedGroup.NamedGroupType.*;
+import sun.security.ssl.NamedGroup.NamedGroupSpec;
+import static sun.security.ssl.NamedGroup.NamedGroupSpec.*;
import sun.security.ssl.SupportedGroupsExtension.SupportedGroups;
abstract class HandshakeContext implements ConnectionContext {
// System properties
@@ -280,12 +280,12 @@
// Ignore disabled protocol.
continue;
}
boolean found = false;
- Map<NamedGroupType, Boolean> cachedStatus =
- new EnumMap<>(NamedGroupType.class);
+ Map<NamedGroupSpec, Boolean> cachedStatus =
+ new EnumMap<>(NamedGroupSpec.class);
for (CipherSuite suite : enabledCipherSuites) {
if (suite.isAvailable() && suite.supports(protocol)) {
if (isActivatable(suite,
algorithmConstraints, cachedStatus)) {
protocols.add(protocol);
@@ -320,12 +320,12 @@
List<CipherSuite> enabledCipherSuites,
AlgorithmConstraints algorithmConstraints) {
List<CipherSuite> suites = new LinkedList<>();
if (enabledProtocols != null && !enabledProtocols.isEmpty()) {
- Map<NamedGroupType, Boolean> cachedStatus =
- new EnumMap<>(NamedGroupType.class);
+ Map<NamedGroupSpec, Boolean> cachedStatus =
+ new EnumMap<>(NamedGroupSpec.class);
for (CipherSuite suite : enabledCipherSuites) {
if (!suite.isAvailable()) {
continue;
}
@@ -506,23 +506,23 @@
this.conContext.protocolVersion = protocolVersion;
}
private static boolean isActivatable(CipherSuite suite,
AlgorithmConstraints algorithmConstraints,
- Map<NamedGroupType, Boolean> cachedStatus) {
+ Map<NamedGroupSpec, Boolean> cachedStatus) {
if (algorithmConstraints.permits(
EnumSet.of(CryptoPrimitive.KEY_AGREEMENT), suite.name, null)) {
if (suite.keyExchange == null) {
// TLS 1.3, no definition of key exchange in cipher suite.
return true;
}
// Is at least one of the group types available?
boolean groupAvailable, retval = false;
- NamedGroupType[] groupTypes = suite.keyExchange.groupTypes;
- for (NamedGroupType groupType : groupTypes) {
+ NamedGroupSpec[] groupTypes = suite.keyExchange.groupTypes;
+ for (NamedGroupSpec groupType : groupTypes) {
if (groupType != NAMED_GROUP_NONE) {
Boolean checkedStatus = cachedStatus.get(groupType);
if (checkedStatus == null) {
groupAvailable = SupportedGroups.isActivatable(
algorithmConstraints, groupType);
< prev index next >