JDK-8226374 : Restrict TLS signature schemes and named groups
  • Type: Bug
  • Component: security-libs
  • Sub-Component: javax.net.ssl
  • Affected Version: 11,12,13
  • Priority: P3
  • Status: Resolved
  • Resolution: Fixed
  • OS: windows_7
  • CPU: x86_64
  • Submitted: 2019-06-14
  • Updated: 2022-03-31
  • Resolved: 2019-08-13
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 11 JDK 13 JDK 14
11.0.12-oracleFixed 13-poolResolved 14 b10Fixed
Related Reports
Blocks :  
Blocks :  
CSR :  
Relates :  
Relates :  
Relates :  
Relates :  
Relates :  
Description
A DESCRIPTION OF THE PROBLEM :
We are trying to disable RSASSA-PSS, because it is not supported in the JCE PKCS11 wrapper, and causes errors when setting up TLS1.2 errors.
It is possible to do this using jdk.tls.disabledAlgorithms with RSASSA-PSS, if this is done on both sides (client & server).
But if this is done only on the client side, which means the server still gives RSASSA-PSS as one of the options in it's CertificateRequest message, the client will still choose RSASSA-PSS and fail.

I think the core of the problem lies within the CertificateVerify.T12CertificateVerifyMessage constructor, which selects the signature algorithm as follows:
            this.signatureScheme = SignatureScheme.getPreferableAlgorithm(
                    chc.peerRequestedSignatureSchemes,
                    x509Possession.popPrivateKey,
                    chc.negotiatedProtocol);

chc.peerRequestedSignatureSchemes holds -all- algorithms sent by the server in it's CertificateRequest message. Disabled algorithms are not filtered out.
The getPreferableAlgorithm method also does not consider disabled algorithms.


STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
Set up TLS 1.2 client with  jdk.tls.disabledAlgorithms with RSASSA-PSS
Set up TLS 1.2 server which does not have RSASSA-PSS disabled
Connect the client to the server.



FREQUENCY : always



Comments
Fix Request (11u) Should get backported for parity with 11.0.12-oracle. Doesn't apply cleanly. Review thread: http://mail.openjdk.java.net/pipermail/jdk-updates-dev/2021-April/005629.html
07-04-2021

Fix request (13u) This fix is required for clean backport of JDK-8233954. Original patch applies almost cleanly with exception of SignatureScheme.java (caused by wrong sequence of backports: 8242141 should be made after 8226374)
13-11-2020

URL: https://hg.openjdk.java.net/jdk/jdk/rev/a93b7b28f644 User: xuelei Date: 2019-08-13 04:37:01 +0000
13-08-2019