Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8178728

Check the AlgorithmParameters in algorithm constraints

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: P3 P3
    • 10
    • 6
    • security-libs
    • None

        The DisabledAlgorithmConstraints.permits() does not consider the impact of AlgorithmParameters.

        107 public final boolean permits(Set<CryptoPrimitive> primitives,
        108 String algorithm, AlgorithmParameters parameters) {
        109 return checkAlgorithm(disabledAlgorithms, algorithm, decomposer);
        110 }

        The 'parameters' argument is not used here. However, the parameters may contains security information (for example key sizes, DSA, DH, RSA parameters).

        TLS implementation depends on this method to check the validity of a AlgorithmParameters. For example, in the FFDHE implementation, it is needed to check whether a DH group (DHE parameter) is available or not. If parameters checking is ignore in the constraints checking, unavailable/disabled DH groups may be requested and negotiated for a TLS/DTLS handshaking, and then the handshaking fails because the negotiated key is disabled by the constraints.

        Adding the following lines to test/sun/security/ssl/DHKeyExchange/UseStrongDHSizes.java can be used as regression test.

         * @run main/othervm UseStrongDHSizes 3072
         * @run main/othervm UseStrongDHSizes 4096
         * @run main/othervm UseStrongDHSizes 6144

              xuelei Xuelei Fan
              xuelei Xuelei Fan
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: