Bug ID: JDK-8178728 Check the AlgorithmParameters in algorithm constraints

Versions (Unresolved/Resolved/Fixed)

The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.

JDK 10	JDK 6	JDK 7	JDK 8	JDK 9	Other
10 b11Fixed	6u181Fixed	7u171Fixed	8u161Fixed	9.0.4Fixed	openjdk7uFixed

The DisabledAlgorithmConstraints.permits() does not consider the impact of AlgorithmParameters.

107     public final boolean permits(Set<CryptoPrimitive> primitives,
108             String algorithm, AlgorithmParameters parameters) {
109         return checkAlgorithm(disabledAlgorithms, algorithm, decomposer);
110     }

The 'parameters' argument is not used here.  However, the parameters may contains security information (for example key sizes, DSA, DH, RSA parameters).

TLS implementation depends on this method to check the validity of a AlgorithmParameters.  For example, in the FFDHE implementation, it is needed to check whether a DH group (DHE parameter) is available or not.  If parameters checking is ignore in the constraints checking, unavailable/disabled DH groups may be requested and negotiated for a TLS/DTLS handshaking, and then the handshaking fails because the negotiated key is disabled by the constraints.

Adding the following lines to test/sun/security/ssl/DHKeyExchange/UseStrongDHSizes.java can be used as regression test.

 * @run main/othervm UseStrongDHSizes 3072
 * @run main/othervm UseStrongDHSizes 4096
 * @run main/othervm UseStrongDHSizes 6144