Details

CSR

Resolution: Approved

P3

None

behavioral

minimal

Java API, System or security property

JDK
Description
Summary
Support signature schemes restriction in the TLS implementation.
Problem
Signature schemes are essential security parameters of TLS connections. Some of them are weak, and some of them are too new to be supported in some circumstances. Applications may want to restrict them.
Note that the JCE signature algorithms can currently be restricted, but it is at a lower layer and are not always sufficient to restrict specific TLS signature schemes which use a different namespace.
Solution
Support signature schemes restriction in the TLS implementation with algorithm constraints. Algorithm constraints can be configured with the SSLParameters.setAlgorithmConstraints(AlgorithmConstraints)
method or the security property "jdk.tls.disabledAlgorithms".
In the TLS specification, signature schemes are used to customize signature algorithms of TLS connections as defined in https://www.iana.org/assignments/tlsparameters/tlsparameters.xhtml#tlssignaturescheme. With this update, signature schemes can be restricted in the TLS implementation in the JDK. The following is a list of JDK supported signature schemes:
 EdDSA algorithms
 ed25519
 ed448
 ECDSA algorithms
 ecdsa_secp256r1_sha256
 ecdsa_secp384r1_sha384
 ecdsa_secp521r1_sha512
 RSASSAPSS algorithms with public key OID rsaEncryption
 rsa_pss_rsae_sha256
 rsa_pss_rsae_sha384
 rsa_pss_rsae_sha512
 RSASSAPSS algorithms with public key OID RSASSAPSS
 rsa_pss_pss_sha256
 rsa_pss_pss_sha384
 rsa_pss_pss_sha512
 RSASSAPKCS1v1_5 algorithms
 rsa_pkcs1_sha256
 rsa_pkcs1_sha384
 rsa_pkcs1_sha512
For TLS 1.2 and previous versions, signature schemes are defined as a pair of signature algorithms ( https://www.iana.org/assignments/tlsparameters/tlsparameters.xhtml#tlsparameters16) and hash algorithms ( https://www.iana.org/assignments/tlsparameters/tlsparameters.xhtml#tlsparameters18). In the JDK implementation, the signature schemes are named as "signatureAlgorithmhashAlgorithm". For example, "ecdsa_sha224" means the signature algorithm is ECDSA and the hash algorithm is SHA224. TLS 1.3 protocol does not use this naming convention any more. With this update, signature schemes can be restricted in the TLS implementation in the JDK. The following is a list of JDK supported signature schemes, which are being deprecated per TLS 1.3 protocol:
 Legacy signature schemes for TLS 1.2 and previous versions
 dsa_sha256
 ecdsa_sha224
 rsa_sha224
 dsa_sha224
 ecdsa_sha1
 rsa_pkcs1_sha1
 dsa_sha1
 rsa_md5
Specification
Update the Security Property "jdk.tls.disabledAlgorithms" specification by adding signature schemes and named groups restrictions.
# Algorithm restrictions for Secure Socket Layer/Transport Layer Security
# (SSL/TLS) processing
#
# In some environments, certain algorithms or key lengths may be undesirable
# when using SSL/TLS. This section describes the mechanism for disabling
# algorithms during SSL/TLS security parameters negotiation, including
# protocol version negotiation, cipher suites selection, peer authentication
# and key exchange mechanisms.
+# protocol version negotiation, cipher suites selection, signature schemes
+# selection, peer authentication and key exchange mechanisms.
#
# Disabled algorithms will not be negotiated for SSL/TLS connections, even
# if they are enabled explicitly in an application.
#
# For PKIbased peer authentication and key exchange mechanisms, this list
# of disabled algorithms will also be checked during certification path
# building and validation, including algorithms used in certificates, as
# well as revocation information such as CRLs and signed OCSP Responses.
# This is in addition to the jdk.certpath.disabledAlgorithms property above.
#
# See the specification of "jdk.certpath.disabledAlgorithms" for the
# syntax of the disabled algorithm string.
#
# Note: The algorithm restrictions do not apply to trust anchors or
# selfsigned certificates.
#
# Note: This property is currently used by the JDK Reference implementation.
# It is not guaranteed to be examined and used by other implementations.
#
# Example:
# jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
+# jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048, \
+# rsa_pkcs1_sha1
jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \
DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
include jdk.disabled.namedCurves
Attachments
Issue Links
 csr of

JDK8260300 Restrict TLS signature schemes in 8u
 Resolved