changeset 10945:4f9e3c8e65b3

8076328: Enforce key exchange constraints Reviewed-by: wetmore, ahgross, asmotrak, xuelei
author igerasim
date Fri, 24 Apr 2015 13:59:30 +0300
parents 906d298f5f1b
children 0010682d9a2b
files src/share/classes/sun/security/ssl/ClientHandshaker.java src/share/classes/sun/security/ssl/DHCrypt.java src/share/classes/sun/security/ssl/ECDHCrypt.java src/share/classes/sun/security/ssl/Handshaker.java src/share/classes/sun/security/ssl/ServerHandshaker.java src/share/lib/security/java.security-aix src/share/lib/security/java.security-linux src/share/lib/security/java.security-macosx src/share/lib/security/java.security-solaris src/share/lib/security/java.security-windows test/sun/security/ec/TestEC.java test/sun/security/pkcs11/sslecc/ClientJSSEServerJSSE.java test/sun/security/ssl/com/sun/net/ssl/internal/ssl/DHKeyExchange/DHEKeySizing.java test/sun/security/ssl/com/sun/net/ssl/internal/ssl/ServerHandshaker/AnonCipherWithWantClientAuth.java test/sun/security/ssl/sanity/interop/ClientJSSEServerJSSE.java
diffstat 15 files changed, 139 insertions(+), 31 deletions(-) [+]
line wrap: on
line diff
--- a/src/share/classes/sun/security/ssl/ClientHandshaker.java	Tue May 05 20:04:16 2015 +0300
+++ b/src/share/classes/sun/security/ssl/ClientHandshaker.java	Fri Apr 24 13:59:30 2015 +0300
@@ -675,6 +675,14 @@
             // NOTREACHED
         }
         ephemeralServerKey = mesg.getPublicKey();
+
+        // check constraints of RSA PublicKey
+        if (!algorithmConstraints.permits(
+            EnumSet.of(CryptoPrimitive.KEY_AGREEMENT), ephemeralServerKey)) {
+
+            throw new SSLHandshakeException("RSA ServerKeyExchange " +
+                    "does not comply to algorithm constraints");
+        }
     }
 
 
@@ -692,6 +700,9 @@
         dh = new DHCrypt(mesg.getModulus(), mesg.getBase(),
                                             sslContext.getSecureRandom());
         serverDH = mesg.getServerPublicKey();
+
+        // check algorithm constraints
+        dh.checkConstraints(algorithmConstraints, serverDH);
     }
 
     private void serverKeyExchange(ECDH_ServerKeyExchange mesg)
@@ -702,6 +713,14 @@
         ECPublicKey key = mesg.getPublicKey();
         ecdh = new ECDHCrypt(key.getParams(), sslContext.getSecureRandom());
         ephemeralServerKey = key;
+
+        // check constraints of EC PublicKey
+        if (!algorithmConstraints.permits(
+            EnumSet.of(CryptoPrimitive.KEY_AGREEMENT), ephemeralServerKey)) {
+
+            throw new SSLHandshakeException("ECDH ServerKeyExchange " +
+                    "does not comply to algorithm constraints");
+        }
     }
 
     /*
--- a/src/share/classes/sun/security/ssl/DHCrypt.java	Tue May 05 20:04:16 2015 +0300
+++ b/src/share/classes/sun/security/ssl/DHCrypt.java	Fri Apr 24 13:59:30 2015 +0300
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1996, 2014, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2015, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -34,6 +34,7 @@
 import javax.crypto.KeyAgreement;
 import javax.crypto.interfaces.DHPublicKey;
 import javax.crypto.spec.*;
+import java.util.EnumSet;
 
 import sun.security.util.KeyUtil;
 
@@ -216,6 +217,28 @@
         }
     }
 
+    // Check constraints of the specified DH public key.
+    void checkConstraints(AlgorithmConstraints constraints,
+            BigInteger peerPublicValue) throws SSLHandshakeException {
+
+        try {
+            KeyFactory kf = JsseJce.getKeyFactory("DiffieHellman");
+            DHPublicKeySpec spec =
+                        new DHPublicKeySpec(peerPublicValue, modulus, base);
+            DHPublicKey publicKey = (DHPublicKey)kf.generatePublic(spec);
+
+            // check constraints of DHPublicKey
+            if (!constraints.permits(
+                    EnumSet.of(CryptoPrimitive.KEY_AGREEMENT), publicKey)) {
+                throw new SSLHandshakeException(
+                    "DHPublicKey does not comply to algorithm constraints");
+            }
+        } catch (GeneralSecurityException gse) {
+            throw (SSLHandshakeException) new SSLHandshakeException(
+                    "Could not generate DHPublicKey").initCause(gse);
+        }
+    }
+
     // Generate and validate DHPublicKeySpec
     private DHPublicKeySpec generateDHPublicKeySpec(KeyPairGenerator kpg)
             throws GeneralSecurityException {
--- a/src/share/classes/sun/security/ssl/ECDHCrypt.java	Tue May 05 20:04:16 2015 +0300
+++ b/src/share/classes/sun/security/ssl/ECDHCrypt.java	Fri Apr 24 13:59:30 2015 +0300
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2006, 2014, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2006, 2015, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -29,6 +29,7 @@
 import java.security.interfaces.ECPublicKey;
 import java.security.spec.*;
 
+import java.util.EnumSet;
 import javax.crypto.SecretKey;
 import javax.crypto.KeyAgreement;
 import javax.net.ssl.SSLHandshakeException;
@@ -88,8 +89,11 @@
         return publicKey;
     }
 
-    // called by ClientHandshaker with either the server's static or ephemeral public key
-    SecretKey getAgreedSecret(PublicKey peerPublicKey) throws SSLHandshakeException {
+    // called by ClientHandshaker with either the server's static or
+    // ephemeral public key
+    SecretKey getAgreedSecret(
+            PublicKey peerPublicKey) throws SSLHandshakeException {
+
         try {
             KeyAgreement ka = JsseJce.getKeyAgreement("ECDH");
             ka.init(privateKey);
@@ -102,10 +106,13 @@
     }
 
     // called by ServerHandshaker
-    SecretKey getAgreedSecret(byte[] encodedPoint) throws SSLHandshakeException {
+    SecretKey getAgreedSecret(
+            byte[] encodedPoint) throws SSLHandshakeException {
+
         try {
             ECParameterSpec params = publicKey.getParams();
-            ECPoint point = JsseJce.decodePoint(encodedPoint, params.getCurve());
+            ECPoint point =
+                    JsseJce.decodePoint(encodedPoint, params.getCurve());
             KeyFactory kf = JsseJce.getKeyFactory("EC");
             ECPublicKeySpec spec = new ECPublicKeySpec(point, params);
             PublicKey peerPublicKey = kf.generatePublic(spec);
@@ -116,4 +123,30 @@
         }
     }
 
+    // Check constraints of the specified EC public key.
+    void checkConstraints(AlgorithmConstraints constraints,
+            byte[] encodedPoint) throws SSLHandshakeException {
+
+        try {
+
+            ECParameterSpec params = publicKey.getParams();
+            ECPoint point =
+                    JsseJce.decodePoint(encodedPoint, params.getCurve());
+            ECPublicKeySpec spec = new ECPublicKeySpec(point, params);
+
+            KeyFactory kf = JsseJce.getKeyFactory("EC");
+            ECPublicKey publicKey = (ECPublicKey)kf.generatePublic(spec);
+
+            // check constraints of ECPublicKey
+            if (!constraints.permits(
+                    EnumSet.of(CryptoPrimitive.KEY_AGREEMENT), publicKey)) {
+                throw new SSLHandshakeException(
+                    "ECPublicKey does not comply to algorithm constraints");
+            }
+        } catch (GeneralSecurityException | java.io.IOException e) {
+            throw (SSLHandshakeException) new SSLHandshakeException(
+                    "Could not generate ECPublicKey").initCause(e);
+        }
+    }
+
 }
--- a/src/share/classes/sun/security/ssl/Handshaker.java	Tue May 05 20:04:16 2015 +0300
+++ b/src/share/classes/sun/security/ssl/Handshaker.java	Fri Apr 24 13:59:30 2015 +0300
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1996, 2014, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2015, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -86,7 +86,7 @@
     String identificationProtocol;
 
     // The cryptographic algorithm constraints
-    private AlgorithmConstraints algorithmConstraints = null;
+    AlgorithmConstraints algorithmConstraints = null;
 
     // Local supported signature and algorithms
     Collection<SignatureAndHashAlgorithm> localSupportedSignAlgs;
--- a/src/share/classes/sun/security/ssl/ServerHandshaker.java	Tue May 05 20:04:16 2015 +0300
+++ b/src/share/classes/sun/security/ssl/ServerHandshaker.java	Fri Apr 24 13:59:30 2015 +0300
@@ -32,6 +32,7 @@
 import java.security.cert.*;
 import java.security.interfaces.*;
 import java.security.spec.ECParameterSpec;
+import java.math.BigInteger;
 
 import javax.crypto.SecretKey;
 import javax.crypto.spec.SecretKeySpec;
@@ -1564,7 +1565,13 @@
         if (debug != null && Debug.isOn("handshake")) {
             mesg.print(System.out);
         }
-        return dh.getAgreedSecret(mesg.getClientPublicKey(), false);
+
+        BigInteger publicKeyValue = mesg.getClientPublicKey();
+
+        // check algorithm constraints
+        dh.checkConstraints(algorithmConstraints, publicKeyValue);
+
+        return dh.getAgreedSecret(publicKeyValue, false);
     }
 
     private SecretKey clientKeyExchange(ECDHClientKeyExchange mesg)
@@ -1573,7 +1580,13 @@
         if (debug != null && Debug.isOn("handshake")) {
             mesg.print(System.out);
         }
-        return ecdh.getAgreedSecret(mesg.getEncodedPoint());
+
+        byte[] publicPoint = mesg.getEncodedPoint();
+
+        // check algorithm constraints
+        ecdh.checkConstraints(algorithmConstraints, publicPoint);
+
+        return ecdh.getAgreedSecret(publicPoint);
     }
 
     /*
--- a/src/share/lib/security/java.security-aix	Tue May 05 20:04:16 2015 +0300
+++ b/src/share/lib/security/java.security-aix	Fri Apr 24 13:59:30 2015 +0300
@@ -500,7 +500,7 @@
 #
 # Example:
 #   jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
-jdk.tls.disabledAlgorithms=SSLv3
+jdk.tls.disabledAlgorithms=SSLv3, DH keySize < 768
 
 # Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)
 # processing in JSSE implementation.
@@ -539,7 +539,7 @@
 #     1. JSSE cipher suite name, e.g., TLS_RSA_WITH_AES_128_CBC_SHA
 #     2. JSSE key exchange algorithm name, e.g., RSA
 #     3. JSSE cipher (encryption) algorithm name, e.g., AES_128_CBC
-#     4. JSSE message digest algorithm name, e.g., SHA-1
+#     4. JSSE message digest algorithm name, e.g., SHA
 #
 # See SSL/TLS specifications and "Java Cryptography Architecture Standard
 # Algorithm Name Documentation" for information about the algorithm names.
--- a/src/share/lib/security/java.security-linux	Tue May 05 20:04:16 2015 +0300
+++ b/src/share/lib/security/java.security-linux	Fri Apr 24 13:59:30 2015 +0300
@@ -500,7 +500,7 @@
 #
 # Example:
 #   jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
-jdk.tls.disabledAlgorithms=SSLv3
+jdk.tls.disabledAlgorithms=SSLv3, DH keySize < 768
 
 # Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)
 # processing in JSSE implementation.
@@ -539,7 +539,7 @@
 #     1. JSSE cipher suite name, e.g., TLS_RSA_WITH_AES_128_CBC_SHA
 #     2. JSSE key exchange algorithm name, e.g., RSA
 #     3. JSSE cipher (encryption) algorithm name, e.g., AES_128_CBC
-#     4. JSSE message digest algorithm name, e.g., SHA-1
+#     4. JSSE message digest algorithm name, e.g., SHA
 #
 # See SSL/TLS specifications and "Java Cryptography Architecture Standard
 # Algorithm Name Documentation" for information about the algorithm names.
--- a/src/share/lib/security/java.security-macosx	Tue May 05 20:04:16 2015 +0300
+++ b/src/share/lib/security/java.security-macosx	Fri Apr 24 13:59:30 2015 +0300
@@ -503,7 +503,7 @@
 #
 # Example:
 #   jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
-jdk.tls.disabledAlgorithms=SSLv3
+jdk.tls.disabledAlgorithms=SSLv3, DH keySize < 768
 
 # Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)
 # processing in JSSE implementation.
@@ -542,7 +542,7 @@
 #     1. JSSE cipher suite name, e.g., TLS_RSA_WITH_AES_128_CBC_SHA
 #     2. JSSE key exchange algorithm name, e.g., RSA
 #     3. JSSE cipher (encryption) algorithm name, e.g., AES_128_CBC
-#     4. JSSE message digest algorithm name, e.g., SHA-1
+#     4. JSSE message digest algorithm name, e.g., SHA
 #
 # See SSL/TLS specifications and "Java Cryptography Architecture Standard
 # Algorithm Name Documentation" for information about the algorithm names.
--- a/src/share/lib/security/java.security-solaris	Tue May 05 20:04:16 2015 +0300
+++ b/src/share/lib/security/java.security-solaris	Fri Apr 24 13:59:30 2015 +0300
@@ -502,7 +502,7 @@
 #
 # Example:
 #   jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
-jdk.tls.disabledAlgorithms=SSLv3
+jdk.tls.disabledAlgorithms=SSLv3, DH keySize < 768
 
 # Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)
 # processing in JSSE implementation.
@@ -541,7 +541,7 @@
 #     1. JSSE cipher suite name, e.g., TLS_RSA_WITH_AES_128_CBC_SHA
 #     2. JSSE key exchange algorithm name, e.g., RSA
 #     3. JSSE cipher (encryption) algorithm name, e.g., AES_128_CBC
-#     4. JSSE message digest algorithm name, e.g., SHA-1
+#     4. JSSE message digest algorithm name, e.g., SHA
 #
 # See SSL/TLS specifications and "Java Cryptography Architecture Standard
 # Algorithm Name Documentation" for information about the algorithm names.
--- a/src/share/lib/security/java.security-windows	Tue May 05 20:04:16 2015 +0300
+++ b/src/share/lib/security/java.security-windows	Fri Apr 24 13:59:30 2015 +0300
@@ -503,7 +503,7 @@
 #
 # Example:
 #   jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
-jdk.tls.disabledAlgorithms=SSLv3
+jdk.tls.disabledAlgorithms=SSLv3, DH keySize < 768
 
 # Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)
 # processing in JSSE implementation.
@@ -542,7 +542,7 @@
 #     1. JSSE cipher suite name, e.g., TLS_RSA_WITH_AES_128_CBC_SHA
 #     2. JSSE key exchange algorithm name, e.g., RSA
 #     3. JSSE cipher (encryption) algorithm name, e.g., AES_128_CBC
-#     4. JSSE message digest algorithm name, e.g., SHA-1
+#     4. JSSE message digest algorithm name, e.g., SHA
 #
 # See SSL/TLS specifications and "Java Cryptography Architecture Standard
 # Algorithm Name Documentation" for information about the algorithm names.
--- a/test/sun/security/ec/TestEC.java	Tue May 05 20:04:16 2015 +0300
+++ b/test/sun/security/ec/TestEC.java	Fri Apr 24 13:59:30 2015 +0300
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2009, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2009, 2015, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -59,6 +59,11 @@
 public class TestEC {
 
     public static void main(String[] args) throws Exception {
+        // reset security properties to make sure that the algorithms
+        // and keys used in this test are not disabled.
+        Security.setProperty("jdk.tls.disabledAlgorithms", "");
+        Security.setProperty("jdk.certpath.disabledAlgorithms", "");
+
         ProvidersSnapshot snapshot = ProvidersSnapshot.create();
         try {
             main0(args);
@@ -68,10 +73,6 @@
     }
 
     public static void main0(String[] args) throws Exception {
-        // reset the security property to make sure that the algorithms
-        // and keys used in this test are not disabled.
-        Security.setProperty("jdk.tls.disabledAlgorithms", "");
-
         Provider p = Security.getProvider("SunEC");
 
         if (p == null) {
--- a/test/sun/security/pkcs11/sslecc/ClientJSSEServerJSSE.java	Tue May 05 20:04:16 2015 +0300
+++ b/test/sun/security/pkcs11/sslecc/ClientJSSEServerJSSE.java	Fri Apr 24 13:59:30 2015 +0300
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2002, 2012, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2002, 2015, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -43,9 +43,10 @@
     private static String[] cmdArgs;
 
     public static void main(String[] args) throws Exception {
-        // reset the security property to make sure that the algorithms
+        // reset security properties to make sure that the algorithms
         // and keys used in this test are not disabled.
         Security.setProperty("jdk.tls.disabledAlgorithms", "");
+        Security.setProperty("jdk.certpath.disabledAlgorithms", "");
 
         cmdArgs = args;
         main(new ClientJSSEServerJSSE());
--- a/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/DHKeyExchange/DHEKeySizing.java	Tue May 05 20:04:16 2015 +0300
+++ b/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/DHKeyExchange/DHEKeySizing.java	Fri Apr 24 13:59:30 2015 +0300
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2013, 2015, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -100,6 +100,7 @@
 import javax.net.ssl.SSLEngineResult.*;
 import java.io.*;
 import java.nio.*;
+import java.security.Security;
 import java.security.KeyStore;
 import java.security.KeyFactory;
 import java.security.cert.Certificate;
@@ -377,6 +378,11 @@
     }
 
     public static void main(String args[]) throws Exception {
+        // reset security properties to make sure that the algorithms
+        // and keys used in this test are not disabled.
+        Security.setProperty("jdk.tls.disabledAlgorithms", "");
+        Security.setProperty("jdk.certpath.disabledAlgorithms", "");
+
         if (args.length != 4) {
             System.out.println(
                 "Usage: java DHEKeySizing cipher-suite " +
--- a/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/ServerHandshaker/AnonCipherWithWantClientAuth.java	Tue May 05 20:04:16 2015 +0300
+++ b/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/ServerHandshaker/AnonCipherWithWantClientAuth.java	Fri Apr 24 13:59:30 2015 +0300
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2001, 2011, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2001, 2015, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -21,6 +21,11 @@
  * questions.
  */
 
+//
+// SunJSSE does not support dynamic system properties, no way to re-use
+// system properties in samevm/agentvm mode.
+//
+
 /*
  * @test
  * @bug 4392475
@@ -34,6 +39,7 @@
 import java.io.*;
 import java.net.*;
 import javax.net.ssl.*;
+import java.security.Security;
 
 public class AnonCipherWithWantClientAuth {
 
@@ -156,6 +162,11 @@
     volatile Exception clientException = null;
 
     public static void main(String[] args) throws Exception {
+        // reset security properties to make sure that the algorithms
+        // and keys used in this test are not disabled.
+        Security.setProperty("jdk.tls.disabledAlgorithms", "");
+        Security.setProperty("jdk.certpath.disabledAlgorithms", "");
+
         String keyFilename =
             System.getProperty("test.src", "./") + "/" + pathToStores +
                 "/" + keyStoreFile;
--- a/test/sun/security/ssl/sanity/interop/ClientJSSEServerJSSE.java	Tue May 05 20:04:16 2015 +0300
+++ b/test/sun/security/ssl/sanity/interop/ClientJSSEServerJSSE.java	Fri Apr 24 13:59:30 2015 +0300
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2002, 2011, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2002, 2015, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -34,9 +34,10 @@
 public class ClientJSSEServerJSSE {
 
     public static void main(String[] args) throws Exception {
-        // reset the security property to make sure that the algorithms
+        // reset security properties to make sure that the algorithms
         // and keys used in this test are not disabled.
         Security.setProperty("jdk.tls.disabledAlgorithms", "");
+        Security.setProperty("jdk.certpath.disabledAlgorithms", "");
 
         CipherTest.main(new JSSEFactory(), args);
     }