JDK-8227445 : Restrict TLS signature schemes and named groups
  • Type: CSR
  • Component: security-libs
  • Sub-Component: javax.net.ssl
  • Priority: P3
  • Status: Closed
  • Resolution: Approved
  • Fix Versions: 14
  • Submitted: 2019-07-09
  • Updated: 2019-11-06
  • Resolved: 2019-08-06
Related Reports
CSR :  
JDK-8226374 - Restrict TLS signature schemes and named groups
Description
Summary
-------
Support signature schemes and named groups restriction in the TLS implementation.

Problem
-------
Signature schemes and named groups are essential security parameters of TLS connections.  Some of them are weak, and some of them are too new to be supported in some circumstances.  Applications may want to restrict them.

Note that the JCE signature algorithms can currently be restricted, but it is at a lower layer and are not always sufficient to restrict specific TLS signature schemes which use a different namespace.

In the future, the implementation may be requested to backport to previous JDK releases, for example JDK 11 or JDK 8.

Solution
--------
Support signature schemes and named groups restriction in the TLS implementation with algorithm constraints. Algorithm constraints can be configured with the `SSLParameters.setAlgorithmConstraints(AlgorithmConstraints)` method or the security property "jdk.tls.disabledAlgorithms".

In the TLS specification, signature schemes are used to customize signature algorithms of TLS connections as defined in https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-signaturescheme. With this update, signature schemes can be restricted in the TLS implementation in the JDK.  The following is a list of JDK supported signature schemes:

 - EdDSA algorithms
   - ed25519
   - ed448
 - ECDSA algorithms
   - ecdsa_secp256r1_sha256
   - ecdsa_secp384r1_sha384
   - ecdsa_secp521r1_sha512
 - RSASSA-PSS algorithms with public key OID rsaEncryption
   - rsa_pss_rsae_sha256
   - rsa_pss_rsae_sha384
   - rsa_pss_rsae_sha512
 - RSASSA-PSS algorithms with public key OID RSASSA-PSS
   - rsa_pss_pss_sha256
   - rsa_pss_pss_sha384
   - rsa_pss_pss_sha512
 - RSASSA-PKCS1-v1_5 algorithms
   - rsa_pkcs1_sha256
   - rsa_pkcs1_sha384
   - rsa_pkcs1_sha512

For TLS 1.2 and previous versions, signature schemes are defined as a pair of signature algorithms ( https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-16) and hash algorithms ( https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-18).  In the JDK implementation, the signature schemes are named as "signatureAlgorithm-hashAlgorithm".  For example, "ecdsa_sha224" means the signature algorithm is ECDSA and the hash algorithm is SHA224.  TLS 1.3 protocol does not use this naming convention any more. With this update, signature schemes can be restricted in the TLS implementation in the JDK.  The following is a list of JDK supported signature schemes,  which are being deprecated per TLS 1.3 protocol:

 - Legacy signature schemes for TLS 1.2 and previous versions
   - dsa_sha256
   - ecdsa_sha224
   - rsa_sha224
   - dsa_sha224
   - ecdsa_sha1
   - rsa_pkcs1_sha1
   - dsa_sha1
   - rsa_md5

In the TLS specification, named groups are used to customize key exchange algorithms of TLS connections as defined in https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8.  With this update, named groups can be restricted in the TLS implementation in the JDK.  The following is a list of JDK supported named groups:

 - NIST defined Elliptic curves (RFC 4492)
   - sect163k1
   - sect163r1
   - sect163r2
   - sect193r1
   - sect193r2
   - sect233k1
   - sect233r1
   - sect239k1
   - sect283k1
   - sect283r1
   - sect409k1
   - sect409r1
   - sect571k1
   - sect571r1
   - secp160k1
   - secp160r1
   - secp160r2
   - secp192k1
   - secp192r1
   - secp224k1
   - secp224r1
   - secp256k1
   - secp256r1
   - secp384r1
   - secp521r1
 - x25519 and x448 (RFC 8422/8446)
   - x25519
   - x448
 -  Finite Field Diffie-Hellman Ephemeral Parameters (RFC 7919)
   - ffdhe2048
   - ffdhe3072
   - ffdhe4096
   - ffdhe6144
   - ffdhe8192

Note that the signature schemes and group names are not standardized yet.  A subsequent CSR will be filed for the standardization (See JDK-8210755).

Specification
-------------
Update the Security Property "jdk.tls.disabledAlgorithms" specification by adding signature schemes and named groups restrictions.

	  #
	  # Algorithm restrictions for Secure Socket Layer/Transport Layer Security
	  # (SSL/TLS/DTLS) processing
	  #
	  # In some environments, certain algorithms or key lengths may be undesirable
 	  # when using SSL/TLS/DTLS.  This section describes the mechanism for disabling
 	  # algorithms during SSL/TLS/DTLS security parameters negotiation, including
	- # protocol version negotiation, cipher suites selection, peer authentication
	- # and key exchange mechanisms.
	+ # protocol version negotiation, cipher suites selection, named groups
	+ # selection, signature schemes selection, peer authentication and key
	+ # exchange mechanisms.
	  #
	  # Disabled algorithms will not be negotiated for SSL/TLS connections, even
	  # if they are enabled explicitly in an application.
	  #
	  # For PKI-based peer authentication and key exchange mechanisms, this list
	  # of disabled algorithms will also be checked during certification path
	  # building and validation, including algorithms used in certificates, as
	  # well as revocation information such as CRLs and signed OCSP Responses.
	  # This is in addition to the jdk.certpath.disabledAlgorithms property above.
	  #
	  # See the specification of "jdk.certpath.disabledAlgorithms" for the
	  # syntax of the disabled algorithm string.
	  #
	  # Note: The algorithm restrictions do not apply to trust anchors or
	  # self-signed certificates.
	  #
	  # Note: This property is currently used by the JDK Reference implementation.
	  # It is not guaranteed to be examined and used by other implementations.
	  #
	  # Example:
	- #   jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
	+ #   jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048, \
	+ #       rsa_pkcs1_sha256, secp224r1
	  jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \
		 EC keySize < 224, 3DES_EDE_CBC, anon, NULL
Comments
[~mullan] I will take care of the update of the documentation.
14-08-2019
[~xuelei] I don't think this needs to be in the CSR, but there is a slight wording change to the jdk.certpath.disabledAlgorithms property that should be made: # algorithm. See "Java Cryptography Architecture Standard Algorithm Name # Documentation" for information about Standard Algorithm Names. Matching That is an old name of the document. Change this to: # algorithm. See the Java Security Standard Algorithm Names # Specification for information about Standard Algorithm Names. Matching The same change should be made to the jdk.tls.legacyAlgorithms property.
06-08-2019
Voting to approve based on the assurances that the additional elements, "named groups selection, signature schemes selection", are covered by the existing syntax allowances.
06-08-2019
> Are explicit syntax updates needed to jdk.certpath.disabledAlgorithms as referenced above? The restricted algorithms, like ecdsa_secp256r1_sha256 and ffdhe2048 will be standardized in JDK-8210755. The current DisabledAlgorithms syntax in jdk.certpath.disabledAlgorithms section is sufficient.
05-08-2019
Are explicit syntax updates needed to jdk.certpath.disabledAlgorithms as referenced above? # See the specification of "jdk.certpath.disabledAlgorithms" for the # syntax of the disabled algorithm string.
05-08-2019