Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8280493

(D)TLS signature schemes

    XMLWordPrintable

    Details

    • Type: JEP
    • Status: Closed
    • Priority: P3
    • Resolution: Withdrawn
    • Fix Version/s: None
    • Component/s: security-libs
    • Labels:
      None
    • Author:
      Xuelei Fan
    • JEP Type:
      Feature
    • Exposure:
      Open
    • Subcomponent:
    • Scope:
      SE
    • Discussion:
      security dash dev at openjdk dot java dot net
    • Effort:
      S
    • Duration:
      S

      Description

      Summary

      Support signature schemes customization for individual (D)TLS connection.

      Goals

      • Define new APIs to customize signature schemes for (D)TLS connections.
      • Implement the new APIs in the JSSE implementation in JDK.

      Non-Goals

      (D)TLS signature schemes implementation is not part of this JEP. This JEP will focus on defining new APIs so that an application is able to customize signature schemes for individual (D)TLS connections. It is not a goal to enhance the existing signature schemes in JDK.

      Motivation

      In a (D)TLS connection, the client and server may support different signature algorithms. (D)TLS specifications (see RFC 8446 and RFC 5246) define the procedure to negotiate the signature algorithms that could be used in digital signatures during the negotiation of (D)TLS connections.

      In JEP 332: Transport Layer Security (TLS) 1.3 and the follow-on enhancements, JDK implemented the procedure and essential signature schemes. And in JDK-8242141, in order to configure the default signature schemes, the jdk.tls.client.SignatureSchemes System Property was added for the TLS client side configuration, and the jdk.tls.server.SignatureSchemes System Property was added for the server side configuration.

      Rather than using the provider default signature schemes, applications may want to customize the signature schemes for individual connections, for fine control of the security properties. New APIs are need to support this flexibility.

      Description

      This feature defines the public APIs to define the signature schemes that can be used to establish (D)TLS connections. The signature schemes are conveyed between client and server during the (D)TLS handshake.

      A (D)TLS application can use an extended SSLParameters class to get and set the list of signature scheme names that are supported on a given connection. The (D)TLS implementation also uses this class to retrieve the signature schemes declared by the application.

      The proposed design follows a similar API methodology used for the JEP 114: TLS Server Name Indication (SNI) Extension, which was introduced in JDK 8.

      Alternatives

      Applications can use the jdk.tls.client.SignatureSchemes and jdk.tls.server.SignatureSchemes System Properties for the default signature schemes configuration. However, the configuration impacts all connections and applications running on the same JVM.

      Testing

      • Tests will be developed or enhanced to validate the implementation of the new APIs in JDK.
      • It should be verified that this implementation does not introduce any unexpected compatibility or interoperability impact.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              xuelei Xuelei Fan
              Reporter:
              xuelei Xuelei Fan
              Owner:
              Xuelei Fan Xuelei Fan
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: