JDK-8264560 : Restrict TLS signature schemes in 8u
  • Type: CSR
  • Component: security-libs
  • Sub-Component: javax.net.ssl
  • Priority: P3
  • Status: Closed
  • Resolution: Approved
  • Fix Versions: 8-pool
  • Submitted: 2021-04-01
  • Updated: 2021-04-20
  • Resolved: 2021-04-20
Related Reports
CSR :  
Description
Summary
-------
Support signature schemes restriction in the TLS implementation.

Problem
-------
Signature schemes are essential security parameters of TLS connections.  Some of them are weak, and some of them are too new to be supported in some circumstances.  Applications may want to restrict them.

Note that the JCE signature algorithms can currently be restricted, but it is at a lower layer and are not always sufficient to restrict specific TLS signature schemes which use a different namespace.

Solution
--------
Support signature schemes restriction in the TLS implementation with algorithm constraints. Algorithm constraints can be configured with the `SSLParameters.setAlgorithmConstraints(AlgorithmConstraints)` method or the security property "jdk.tls.disabledAlgorithms".

In the TLS specification, signature schemes are used to customize signature algorithms of TLS connections as defined in https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-signaturescheme. With this update, signature schemes can be restricted in the TLS implementation in the JDK.  The following is a list of JDK supported signature schemes:

 - EdDSA algorithms
   - ed25519
   - ed448
 - ECDSA algorithms
   - ecdsa_secp256r1_sha256
   - ecdsa_secp384r1_sha384
   - ecdsa_secp521r1_sha512
 - RSASSA-PSS algorithms with public key OID rsaEncryption
   - rsa_pss_rsae_sha256
   - rsa_pss_rsae_sha384
   - rsa_pss_rsae_sha512
 - RSASSA-PSS algorithms with public key OID RSASSA-PSS
   - rsa_pss_pss_sha256
   - rsa_pss_pss_sha384
   - rsa_pss_pss_sha512
 - RSASSA-PKCS1-v1_5 algorithms
   - rsa_pkcs1_sha256
   - rsa_pkcs1_sha384
   - rsa_pkcs1_sha512

For TLS 1.2 and previous versions, signature schemes are defined as a pair of signature algorithms ( https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-16) and hash algorithms ( https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-18).  In the JDK implementation, the signature schemes are named as "signatureAlgorithm-hashAlgorithm".  For example, "ecdsa_sha224" means the signature algorithm is ECDSA and the hash algorithm is SHA224.  TLS 1.3 protocol does not use this naming convention any more. With this update, signature schemes can be restricted in the TLS implementation in the JDK.  The following is a list of JDK supported signature schemes,  which are being deprecated per TLS 1.3 protocol:

 - Legacy signature schemes for TLS 1.2 and previous versions
   - dsa_sha256
   - ecdsa_sha224
   - rsa_sha224
   - dsa_sha224
   - ecdsa_sha1
   - rsa_pkcs1_sha1
   - dsa_sha1
   - rsa_md5

Specification
-------------
Update the Security Property "jdk.tls.disabledAlgorithms" specification by adding signature schemes and named groups restrictions.

     # Algorithm restrictions for Secure Socket Layer/Transport Layer Security
     # (SSL/TLS) processing
     #
     # In some environments, certain algorithms or key lengths may be undesirable
     # when using SSL/TLS.  This section describes the mechanism for disabling
     # algorithms during SSL/TLS security parameters negotiation, including
    -# protocol version negotiation, cipher suites selection, peer authentication
    -# and key exchange mechanisms.
    +# protocol version negotiation, cipher suites selection, signature schemes 
    +# selection, peer authentication and key exchange mechanisms.
     #
     # Disabled algorithms will not be negotiated for SSL/TLS connections, even
     # if they are enabled explicitly in an application.
     #
     # For PKI-based peer authentication and key exchange mechanisms, this list
     # of disabled algorithms will also be checked during certification path
     # building and validation, including algorithms used in certificates, as
     # well as revocation information such as CRLs and signed OCSP Responses.
     # This is in addition to the jdk.certpath.disabledAlgorithms property above.
     #
     # See the specification of "jdk.certpath.disabledAlgorithms" for the
     # syntax of the disabled algorithm string.
     #
     # Note: The algorithm restrictions do not apply to trust anchors or
     # self-signed certificates.
     #
     # Note: This property is currently used by the JDK Reference implementation.
     # It is not guaranteed to be examined and used by other implementations.
     #
     # Example:
    -#   jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
    +#   jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048, \
    +#       rsa_pkcs1_sha1
     jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \
     DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
     include jdk.disabled.namedCurves

Comments
Moving to Approved.
20-04-2021

This CSR has partial details from the one approved for JDK 14 i.e. JDK-8227445. In this CSR, we captured signature scheme restrictions details and ignored named group restriction details. To adopt named group restrictions, we need to backport a dependency enhancement: JDK-8171279. As of now, we plan to backport only signature scheme restrictions and captured only these details. From the approved CSR, we ignored the point that that signature schemes and group names were standardized via JDK-8228752 CSR. For the JDK update releases, the names will be documented via release notes.
20-04-2021