JDK-8235540 : Disable weak named curves by default in TLS, CertPath, and Signed JAR
  • Type: CSR
  • Component: security-libs
  • Sub-Component: java.security
  • Priority: P2
  • Status: Closed
  • Resolution: Approved
  • Fix Versions: 7-pool,8-pool,11-pool,14,15
  • Submitted: 2019-12-07
  • Updated: 2021-01-08
  • Resolved: 2019-12-18
Related Reports
CSR :  
JDK-8259484 - Disable weak named curves by default in TLS, CertPath, and Signed JAR
CSR :  
JDK-8233228 - Disable weak named curves by default in TLS, CertPath, and Signed JAR
Description
Summary
-------

This change adds named elliptic curves to the jdk.[tls|certpath|jar].disabledAlgorithms security properties.

Problem
-------
There is a need to disable crypto operations by named curves to the disabledAlgorithms property.  This requires deeper checks into the EC classes than previously supported.  With over 50 named curves available, adding individual named curves to each disabledAlgorithms properties is a messy situation and needs a cleaner solution.


Solution
--------
Adding support to the named curves is straight forward to implement; however, with many named curves, the disabledAlgorithm properties will overwhelm with named curves.  To relieve this, a new security property, jdk.disabled.namedCurves, is implemented that can list the named curves common to all the disabledAlgorithm properties.  To use the new property in the disabledAlgorithm properties, the full property name is used as an entry.   Users can still add individual named curves to disabledAlgorithms properties separate from this new property..

A hardcoded list of named curves was considered with a keyword that added the list to the disabledAlgorithms property.  However, if one curve on the hardcoded list needed to be enabled, it required the user to list all the remaining named curves in the property.  There is no "not" operation.

With adding support for the named curves, the default policy for all the disabledAlgorithms security properties will be change to add the weakly implemented curves.  The curves will be added to jdk.disabled.namedCurves, and the jdk.disabled.namedCurves will be included into each of the disabledAlgorithms properties

Specification
-------------

    java.security
    @@ -500,6 +500,22 @

     #
    +# This property contains a list of disabled EC Named Curves that can be included
    +# in jdk.[tls|certpath|jar].disabledAlgorithms.  To include this list in any
    +# of the disabledAlgorithms properties, add the property name as an entry.
    +jdk.disabled.namedCurves = secp112r1, secp112r2, secp128r1, secp128r2, \
    +    secp160k1, secp160r1, secp160r2, secp192k1, secp192r1, secp224k1, \
    +    secp224r1, secp256k1, sect113r1, sect113r2, sect131r1, sect131r2, \
    +    sect163k1, sect163r1, sect163r2, sect193r1, sect193r2, sect233k1, \
    +    sect233r1, sect239k1, sect283k1, sect283r1, sect409k1, sect409r1, \
    +    sect571k1, sect571r1, X9.62 c2tnb191v1, X9.62 c2tnb191v2, \
    +    X9.62 c2tnb191v3, X9.62 c2tnb239v1, X9.62 c2tnb239v2, X9.62 c2tnb239v3, \
    +    X9.62 c2tnb359v1, X9.62 c2tnb431r1, X9.62 prime192v2, X9.62 prime192v3, \
    +    X9.62 prime239v1, X9.62 prime239v2, X9.62 prime239v3, brainpoolP256r1 \
    +    brainpoolP320r1, brainpoolP384r1, brainpoolP512r1
    +
    +#
     # Algorithm restrictions for certification path (CertPath) processing
     #
     # In some environments, certain algorithms  or key lengths may be undesirable

    @@ -513,7 +530,7 @@
     #       " DisabledAlgorithm { , DisabledAlgorithm } "
     #
     #   DisabledAlgorithm:
    -#       AlgorithmName [Constraint] { '&' Constraint }
    +#       AlgorithmName [Constraint] { '&' Constraint } | IncludeProperty
     #
     #   AlgorithmName:
     #       (see below)
    @@ -540,6 +557,9 @@ 
     #   UsageConstraint:
     #       usage [TLSServer] [TLSClient] [SignedJAR]
     #
    +#   IncludeProperty:
    +#       include <security property>
    +#
     # The "AlgorithmName" is the standard algorithm name of the disabled
     # algorithm. See the Java Security Standard Algorithm Names Specification
     # for information about Standard Algorithm Names.  Matching is
     @@ -552,6 +572,14 @@
     # that rely on DSA, such as NONEwithDSA, SHA1withDSA.  However, the assertion
     # will not disable algorithms related to "ECDSA".
     # 
    +# The "IncludeProperty" allows a implementation-defined security property that
    +# can be included in the disabledAlgorithms properties.  These properties are
    +# to help manage common actions easier across multiple disabledAlgorithm
    +# properties.
    +# There is one defined security property:  jdk.disabled.NamedCurves
    +# See the property for more specific details.
    +#
     # A "Constraint" defines restrictions on the keys and/or certificates for 
     # a specified AlgorithmName:
     #

    @@ -624,7 +643,8 @@
     #
     #
     jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, \
    -    RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224
    +    RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224, \
    +   include jdk.disabled.namedCurves
 
    @@ -668,7 +688,7 @@
     # See "jdk.certpath.disabledAlgorithms" for syntax descriptions.
     #
     jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \
    -      DSA keySize < 1024
    +      DSA keySize < 1024,  include jdk.disabled.namedCurves
 
     #
     # Algorithm restrictions for Secure Socket Layer/Transport Layer Security
    @@ -703,7 +723,7 @@
     #   jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048, \
     #       rsa_pkcs1_sha1, secp224r1
     jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \
    -    EC keySize < 224, 3DES_EDE_CBC, anon, NULL
    +    EC keySize < 224, 3DES_EDE_CBC, anon, NULL, include jdk.disabled.namedCurves
 
     #
     # Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)
Comments
Moving to Approved. The mechanism isn't as general as possible, but that is probably fine in this context.
18-12-2019