Summary

Add ChaCha20-Poly1305 cipher suites to JSSE. This will include cipher suites specific to TLS 1.2 and TLS 1.3. The CSR is the same as the JDK12 CSR (JDK-8204192), except for the following changes:

• The Java Security Standard Algorithm Names specification is not being updated with the new cipher suites. This is acceptable, as implementations are allowed to support algorithms not defined in the Standard Names specification.

• The JDK Providers document (and not the JSSE Reference Guide) is updated with the new cipher suite names. Note that this guide is not a specification.

Problem

Prior to the introduction of ChaCha20-Poly1305 suites, there were no stream-cipher based suites for TLS that were considered secure given modern computing capabilities. The ChaCha20-Poly1305 cipher suites use efficient, secure stream ciphers and have the added benefit of running in AEAD mode, which makes them suitable not only for TLS 1.2, but meets the security requirements for TLS 1.3 as well.

Solution

For TLS 1.2 three new cipher suites will be added to JSSE as defined in RFC 7905. They are:

• TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
• TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
• TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256

For TLS 1.3 one additional cipher suite will be added, as called out in RFC 8446:

• TLS_CHACHA20_POLY1305_SHA256

All four cipher suites will be part of the default-enabled collection of cipher suites. That said, these two collections of cipher suites are exclusive to specific protocol versions (i.e. TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 cannot be used with TLS 1.3, and TLS_CHACHA20_POLY1305_SHA256 may not be used for TLS 1.2). It is permissible to have all four cipher suites asserted in an initial ClientHello TLS handshake message, as the protocol version may not have been determined yet. In cases where the client protocol version is limited exclusively to TLS 1.2 or TLS 1.3, only those suites allowed by those protocol version will be asserted in the ClientHello.

Specification

There are no new public classes or methods as part of this feature. The new cipher suite names for TLS 1.2 and TLS 1.3 will be added to the "SunJSSE Cipher Suites" section of the "The SunJSSE Provider" section of the "JDK Providers Documentation". The names themselves are identical to the cipher suite names listed in the Solution section.

The SunJSSE Provider guide:

TLS_AES_128_GCM_SHA256
TLS_AES_256_GCM_SHA384
+TLS_CHACHA20_POLY1305_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
+TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
TLS_DHE_DSS_WITH_AES_256_GCM_SHA384