Support signature schemes customization for individual (D)TLS connection.
- Define new APIs to customize signature schemes for (D)TLS connections.
- Implement the new APIs in the JSSE implementation in JDK.
(D)TLS signature schemes implementation is not part of this JEP. This JEP will focus on defining new APIs so that an application is able to customize signature schemes for individual (D)TLS connections. It is not a goal to enhance the existing signature schemes in JDK.
In a (D)TLS connection, the client and server may support different signature algorithms. (D)TLS specifications (see RFC 8446 and RFC 5246) define the procedure to negotiate the signature algorithms that could be used in digital signatures during the negotiation of (D)TLS connections.
In JEP 332: Transport Layer Security (TLS) 1.3 and the follow-on enhancements, JDK implemented the procedure and essential signature schemes. And in JDK-8242141, in order to configure the default signature schemes, the
jdk.tls.client.SignatureSchemes System Property was added for the TLS client side configuration, and the
jdk.tls.server.SignatureSchemes System Property was added for the server side configuration.
Rather than using the provider default signature schemes, applications may want to customize the signature schemes for individual connections, for fine control of the security properties. New APIs are need to support this flexibility.
This feature defines the public APIs to define the signature schemes that can be used to establish (D)TLS connections. The signature schemes are conveyed between client and server during the (D)TLS handshake.
A (D)TLS application can use an extended SSLParameters class to get and set the list of signature scheme names that are supported on a given connection. The (D)TLS implementation also uses this class to retrieve the signature schemes declared by the application.
The proposed design follows a similar API methodology used for the JEP 114: TLS Server Name Indication (SNI) Extension, which was introduced in JDK 8.
Applications can use the
jdk.tls.server.SignatureSchemes System Properties for the default signature schemes configuration. However, the configuration impacts all connections and applications running on the same JVM.
- Tests will be developed or enhanced to validate the implementation of the new APIs in JDK.
- It should be verified that this implementation does not introduce any unexpected compatibility or interoperability impact.