JDK-8291950 : (D)TLS key exchange named groups
  • Type: CSR
  • Component: security-libs
  • Sub-Component: javax.net.ssl
  • Priority: P3
  • Status: Closed
  • Resolution: Approved
  • Fix Versions: 20
  • Submitted: 2022-08-05
  • Updated: 2022-12-05
  • Resolved: 2022-12-05
Related Reports
CSR :  
JDK-8281236 - (D)TLS key exchange named groups
Description
Summary
-------
Add new APIs to support key exchange named groups customization for individual (D)TLS connection.

Problem
-------
In a (D)TLS connection, the client and server may support different parameters for key exchange algorithms.  These parameters are defined with named groups in (D)TLS specifications (see RFC 8446 and RFC 5246).  (D)TLS specifications define the procedure to negotiate the named group that could be used in key exchanging during the negotiation of (D)TLS connections.

JDK implements the procedure to negotiate with essential key exchange named groups. Applications could configure the JDK default named groups.  Rather than using the provider default named groups, applications may want to customize the named groups for individual connections, for fine control of the security properties.  There is no such APIs in Java SE.


Solution
--------
New Java SE public APIs will be defined to customize the key exchange named groups for individual connections.

Specification
-------------
1. Add a get method to access the key exchange named groups customization in the javax.net.ssl.SSLParameters class.

        +    /**
        +     * Returns a prioritized array of key exchange named groups names that
        +     * can be used over the SSL/TLS/DTLS protocols.
        +     * <p>
        +     * Note that the standard list of key exchange named groups are defined
        +     * in the <a href=
        +     * "{@docRoot}/../specs/security/standard-names.html#named-groups">
        +     * Named Groups</a> section of the Java Security Standard Algorithm
        +     * Names Specification.  Providers may support named groups not defined
        +     * in this list or may not use the recommended name for a certain named
        +     * group.
        +     * <p>
        +     * The set of named groups that will be used over the SSL/TLS/DTLS
        +     * connections is determined by the returned array of this method and the
        +     * underlying provider-specific default named groups.
        +     * <p>
        +     * If the returned array is {@code null}, then the underlying
        +     * provider-specific default named groups will be used over the
        +     * SSL/TLS/DTLS connections.
        +     * <p>
        +     * If the returned array is empty (zero-length), then the named group
        +     * negotiation mechanism is turned off for SSL/TLS/DTLS protocols, and
        +     * the connections may not be able to be established if the negotiation
        +     * mechanism is required by a certain SSL/TLS/DTLS protocol.  This
        +     * parameter will override the underlying provider-specific default
        +     * name groups.
        +     * <p>
        +     * If the returned array is not {@code null} or empty (zero-length),
        +     * then the named groups in the returned array will be used over
        +     * the SSL/TLS/DTLS connections.  This parameter will override the
        +     * underlying provider-specific default named groups.
        +     * <p>
        +     * This method returns the most recent value passed to
        +     * {@link #setNamedGroups} if that method has been called and otherwise
        +     * returns the default named groups for connection populated objects,
        +     * or {@code null} for pre-populated objects.
        +     *
        +     * @apiNote
        +     * Note that a provider may not have been updated to support this method
        +     * and in that case may return {@code null} instead of the default
        +     * named groups for connection populated objects.
        +     *
        +     * @implNote
        +     * The SunJSSE provider supports this method.
        +     *
        +     * @implNote
        +     * Note that applications may use the
        +     * {@systemProperty jdk.tls.namedGroups} system property with the SunJSSE
        +     * provider to override the provider-specific default named groups.
        +     *
        +     * @return an array of key exchange named group names {@code Strings} or
        +     *         {@code null} if none have been set.  For non-null returns, this
        +     *         method will return a new array each time it is invoked.  The
        +     *         array is ordered based on named group preference, with the first
        +     *         entry being the most preferred.  Providers should ignore unknown
        +     *         named group names while establishing the SSL/TLS/DTLS
        +     *         connections.
        +     * @see #setNamedGroups
        +     *
        +     * @since 20
        +     */
        +    public String[] getNamedGroups();


2. Add a set method to customize the key exchange named groups in the javax.net.ssl.SSLParameters class.

        +    /**
        +     * Sets the prioritized array of key exchange named groups names that
        +     * can be used over the SSL/TLS/DTLS protocols.
        +     * <p>
        +     * Note that the standard list of key exchange named groups are defined in
        +     * the <a href=
        +     * "{@docRoot}/../specs/security/standard-names.html#named-groups">
        +     * Named Groups</a> section of the Java Security Standard Algorithm
        +     * Names Specification.  Providers may support named groups not defined
        +     * in this list or may not use the recommended name for a certain named
        +     * group.
        +     * <p>
        +     * The set of named groups that will be used over the SSL/TLS/DTLS
        +     * connections is determined by the input parameter {@code namedGroups}
        +     * array and the underlying provider-specific default named groups.
        +     * See {@link #getNamedGroups} for specific details on how the
        +     * parameters are used in SSL/TLS/DTLS connections.
        +     *
        +     * @apiNote
        +     * Note that a provider may not have been updated to support this method
        +     * and in that case may ignore the named groups that are set.
        +     *
        +     * @implNote
        +     * The SunJSSE provider supports this method.
        +     *
        +     * @param namedGroups an ordered array of key exchange named group names
        +     *        with the first entry being the most preferred, or {@code null}.
        +     *        This method will make a copy of this array. Providers should
        +     *        ignore unknown named group scheme names while establishing the
        +     *        SSL/TLS/DTLS connections.
        +     * @throws IllegalArgumentException if any element in the
        +     *        {@code namedGroups} array is a duplicate, {@code null} or
        +     *        {@linkplain String#isBlank() blank}.
        +     *
        +     * @see #getNamedGroups
        +     *
        +     * @since 20
        +     */
        +    public void setNamedGroups(String[] namedGroups) {

3. Support the new added methods in the JDK Reference Implementation.
Comments
Moving updated request to Approved.
05-12-2022
> If there are repeated strings in the array, that is fine and no exception is thrown? The current SSLParameters methods do not check repeated parameters. But I think it is a good idea to check for better user experiences. I updated the spec. IAE should be thrown for duplicate named groups. > If the strings in the array do not correspond to any named groups, that is fine? The legality of a group name depending on a few other factors, like provider implementations, TLS versions, etc., which are not available for an SSLParameters object. If not possible, it is not easy to make a right decision if a group name is legal or not. Hopefully, the states in the spec are clear about this situation. Providers may support named groups not defined in this list or may not use the recommended name for a certain named group. and Providers should ignore unknown named group scheme names while establishing the SSL/TLS/DTLS connections.
04-12-2022
For setNamedGroups, are there any additional semantic constraints on the argument the spec should give? If there are repeated strings in the array, that is fine and no exception is thrown? If the strings in the array do not correspond to any named groups, that is fine? Moving to Provisional.
29-11-2022
[~darcy] Regarding implSpec tags and overriding, there was a similar discussion thread for CSR JDK-8280495, which is a very similar API, and I think the issues were more or less resolved in the end. Keeping the wording and behavior of this API consistent with that API seems important since they are basically the same type of API.
21-11-2022
> Should the new methods have implSpec tags to specify their behavior if not overridden? @darcy There is a spec description about the default behaviors in the get method: "This method returns the most recent value passed to {@link #setNamedGroups} if that method has been called and otherwise returns the default named groups for connection populated objects, or {@code null} for pre-populated objects." A sub-class should follow the spec. Did you want to use implSpec tags for the description?
10-11-2022
Moving to Provisional, not Approved. Should the new methods have implSpec tags to specify their behavior if not overridden?
09-11-2022
> In the Problem section, I think the first sentence of the second paragraph would read better as ... Yes, the suggestion makes sense to me. Thanks!
08-11-2022
In the Problem section, I think the first sentence of the second paragraph would read better as > JDK implements the procedure to negotiate with essential key exchange > named groups. .
08-11-2022
This is a similar effort to CSR [JDK-8280495][1] [1]: https://bugs.openjdk.org/browse/JDK-8280495
05-08-2022