< prev index next >
src/java.base/share/classes/sun/security/ssl/SupportedGroupsExtension.java
Print this page
rev 54061 : 8226374: Restrict TLS signature schemes and named groups
Reviewed-by: mullan
@@ -26,24 +26,19 @@
package sun.security.ssl;
import java.io.IOException;
import java.nio.ByteBuffer;
import java.security.AlgorithmConstraints;
-import java.security.AlgorithmParameters;
-import java.security.CryptoPrimitive;
-import java.security.spec.ECGenParameterSpec;
-import java.security.spec.InvalidParameterSpecException;
import java.text.MessageFormat;
import java.util.ArrayList;
import java.util.Collections;
-import java.util.EnumSet;
import java.util.LinkedList;
import java.util.List;
import java.util.Locale;
import javax.net.ssl.SSLProtocolException;
import sun.security.action.GetPropertyAction;
-import sun.security.ssl.NamedGroup.NamedGroupType;
+import sun.security.ssl.NamedGroup.NamedGroupSpec;
import static sun.security.ssl.SSLExtension.CH_SUPPORTED_GROUPS;
import static sun.security.ssl.SSLExtension.EE_SUPPORTED_GROUPS;
import sun.security.ssl.SSLExtension.ExtensionConsumer;
import sun.security.ssl.SSLExtension.SSLExtensionSpec;
import sun.security.ssl.SSLHandshake.HandshakeMessage;
@@ -190,11 +185,11 @@
group = group.trim();
if (!group.isEmpty()) {
NamedGroup namedGroup = NamedGroup.nameOf(group);
if (namedGroup != null &&
(!requireFips || namedGroup.isFips)) {
- if (isAvailableGroup(namedGroup)) {
+ if (namedGroup.isAvailable) {
groupList.add(namedGroup);
}
} // ignore unknown groups
}
}
@@ -245,11 +240,11 @@
};
}
groupList = new ArrayList<>(groups.length);
for (NamedGroup group : groups) {
- if (isAvailableGroup(group)) {
+ if (group.isAvailable) {
groupList.add(group);
}
}
if (groupList.isEmpty() &&
@@ -263,52 +258,23 @@
for (NamedGroup namedGroup : groupList) {
supportedNamedGroups[i++] = namedGroup;
}
}
- // check whether the group is supported by the underlying providers
- private static boolean isAvailableGroup(NamedGroup namedGroup) {
- return namedGroup.isAvailableGroup();
- }
-
- static ECGenParameterSpec getECGenParamSpec(NamedGroup ng) {
- if (ng.type != NamedGroupType.NAMED_GROUP_ECDHE) {
- throw new RuntimeException(
- "Not a named EC group: " + ng);
- }
-
- // parameters are non-null
- AlgorithmParameters params = ng.getParameters();
- try {
- return params.getParameterSpec(ECGenParameterSpec.class);
- } catch (InvalidParameterSpecException ipse) {
- // should be unlikely
- return new ECGenParameterSpec(ng.oid);
- }
- }
-
- static AlgorithmParameters getParameters(NamedGroup ng) {
- return ng.getParameters();
- }
-
// Is there any supported group permitted by the constraints?
static boolean isActivatable(
- AlgorithmConstraints constraints, NamedGroupType type) {
+ AlgorithmConstraints constraints, NamedGroupSpec type) {
boolean hasFFDHEGroups = false;
for (NamedGroup namedGroup : supportedNamedGroups) {
- if (namedGroup.type == type) {
- if (constraints.permits(
- EnumSet.of(CryptoPrimitive.KEY_AGREEMENT),
- namedGroup.algorithm,
- getParameters(namedGroup))) {
-
+ if (namedGroup.isAvailable && namedGroup.spec == type) {
+ if (namedGroup.isPermitted(constraints)) {
return true;
}
if (!hasFFDHEGroups &&
- (type == NamedGroupType.NAMED_GROUP_FFDHE)) {
+ (type == NamedGroupSpec.NAMED_GROUP_FFDHE)) {
hasFFDHEGroups = true;
}
}
}
@@ -316,24 +282,21 @@
// compatible mode (using DHE cipher suite without FFDHE extension)
// is allowed.
//
// Note that the constraints checking on DHE parameters will be
// performed during key exchanging in a handshake.
- return !hasFFDHEGroups && type == NamedGroupType.NAMED_GROUP_FFDHE;
+ return !hasFFDHEGroups && type == NamedGroupSpec.NAMED_GROUP_FFDHE;
}
// Is the named group permitted by the constraints?
static boolean isActivatable(
AlgorithmConstraints constraints, NamedGroup namedGroup) {
- if (!isSupported(namedGroup)) {
+ if (!namedGroup.isAvailable || !isSupported(namedGroup)) {
return false;
}
- return constraints.permits(
- EnumSet.of(CryptoPrimitive.KEY_AGREEMENT),
- namedGroup.algorithm,
- getParameters(namedGroup));
+ return namedGroup.isPermitted(constraints);
}
// Is the named group supported?
static boolean isSupported(NamedGroup namedGroup) {
for (NamedGroup group : supportedNamedGroups) {
@@ -345,37 +308,31 @@
return false;
}
static NamedGroup getPreferredGroup(
ProtocolVersion negotiatedProtocol,
- AlgorithmConstraints constraints, NamedGroupType[] types,
+ AlgorithmConstraints constraints, NamedGroupSpec[] types,
List<NamedGroup> requestedNamedGroups) {
for (NamedGroup namedGroup : requestedNamedGroups) {
- if ((NamedGroupType.arrayContains(types, namedGroup.type)) &&
+ if ((NamedGroupSpec.arrayContains(types, namedGroup.spec)) &&
namedGroup.isAvailable(negotiatedProtocol) &&
isSupported(namedGroup) &&
- constraints.permits(
- EnumSet.of(CryptoPrimitive.KEY_AGREEMENT),
- namedGroup.algorithm,
- getParameters(namedGroup))) {
+ namedGroup.isPermitted(constraints)) {
return namedGroup;
}
}
return null;
}
static NamedGroup getPreferredGroup(
ProtocolVersion negotiatedProtocol,
- AlgorithmConstraints constraints, NamedGroupType[] types) {
+ AlgorithmConstraints constraints, NamedGroupSpec[] types) {
for (NamedGroup namedGroup : supportedNamedGroups) {
- if ((NamedGroupType.arrayContains(types, namedGroup.type)) &&
+ if ((NamedGroupSpec.arrayContains(types, namedGroup.spec)) &&
namedGroup.isAvailable(negotiatedProtocol) &&
- constraints.permits(
- EnumSet.of(CryptoPrimitive.KEY_AGREEMENT),
- namedGroup.algorithm,
- getParameters(namedGroup))) {
+ namedGroup.isPermitted(constraints)) {
return namedGroup;
}
}
return null;
@@ -411,19 +368,17 @@
// Produce the extension.
ArrayList<NamedGroup> namedGroups =
new ArrayList<>(SupportedGroups.supportedNamedGroups.length);
for (NamedGroup ng : SupportedGroups.supportedNamedGroups) {
if ((!SupportedGroups.enableFFDHE) &&
- (ng.type == NamedGroupType.NAMED_GROUP_FFDHE)) {
+ (ng.spec == NamedGroupSpec.NAMED_GROUP_FFDHE)) {
continue;
}
if (ng.isAvailable(chc.activeProtocols) &&
ng.isSupported(chc.activeCipherSuites) &&
- chc.algorithmConstraints.permits(
- EnumSet.of(CryptoPrimitive.KEY_AGREEMENT),
- ng.algorithm, getParameters(ng))) {
+ ng.isPermitted(chc.algorithmConstraints)) {
namedGroups.add(ng);
} else if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
SSLLogger.fine(
"Ignore inactive or disabled named group: " + ng.name);
}
@@ -567,19 +522,17 @@
// they are currently supported by the client.
ArrayList<NamedGroup> namedGroups = new ArrayList<>(
SupportedGroups.supportedNamedGroups.length);
for (NamedGroup ng : SupportedGroups.supportedNamedGroups) {
if ((!SupportedGroups.enableFFDHE) &&
- (ng.type == NamedGroupType.NAMED_GROUP_FFDHE)) {
+ (ng.spec == NamedGroupSpec.NAMED_GROUP_FFDHE)) {
continue;
}
if (ng.isAvailable(shc.activeProtocols) &&
ng.isSupported(shc.activeCipherSuites) &&
- shc.algorithmConstraints.permits(
- EnumSet.of(CryptoPrimitive.KEY_AGREEMENT),
- ng.algorithm, getParameters(ng))) {
+ ng.isPermitted(shc.algorithmConstraints)) {
namedGroups.add(ng);
} else if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
SSLLogger.fine(
"Ignore inactive or disabled named group: " + ng.name);
}
< prev index next >