Added named group check to SupportedSignatureAlgorithmConstraints

haimaychao · Mar 22, 2024 · 9da3fbe · 9da3fbe
1 parent 8d2359a
commit 9da3fbe
Show file tree

Hide file tree

Showing 2 changed files with 36 additions and 3 deletions.
diff --git a/src/java.base/share/classes/sun/security/ssl/SSLAlgorithmConstraints.java b/src/java.base/share/classes/sun/security/ssl/SSLAlgorithmConstraints.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010, 2022, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2010, 2024, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -323,7 +323,8 @@ public boolean permits(Set<CryptoPrimitive> primitives,
 
         @Override
         public final boolean permits(Set<CryptoPrimitive> primitives, Key key) {
-            return true;
+
+            return SignatureScheme.isSignerCompatible(key, supportedAlgorithms);
         }
 
         @Override

diff --git a/src/java.base/share/classes/sun/security/ssl/SignatureScheme.java b/src/java.base/share/classes/sun/security/ssl/SignatureScheme.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2015, 2022, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2015, 2024, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -26,6 +26,7 @@
 package sun.security.ssl;
 
 import java.security.*;
+import java.security.interfaces.ECPublicKey;
 import java.security.spec.AlgorithmParameterSpec;
 import java.security.spec.ECParameterSpec;
 import java.security.spec.MGF1ParameterSpec;
@@ -630,4 +631,35 @@ private Signature getSigner(PrivateKey privateKey) {
 
         return null;
     }
+
+    /*
+     * This method is used to check if the provided key is compatible with at least
+     * one of the specified signature algorithms.
+     */
+    static boolean isSignerCompatible(Key key, String[] sigAlgorithms) {
+        if (!(key instanceof ECPublicKey)) {
+            return true;
+        }
+
+        ECParameterSpec params = ((ECPublicKey) key).getParams();
+        NamedGroup keyNamedGroup = NamedGroup.valueOf(params);
+        if (keyNamedGroup == null) {
+            return false;
+        }
+
+        for (String algorithm : sigAlgorithms) {
+            for (SignatureScheme scheme : SignatureScheme.values()) {
+                if (algorithm.equalsIgnoreCase(scheme.algorithm)) {
+                    if (scheme.namedGroup != null) {
+                        if (scheme.namedGroup.name.equalsIgnoreCase(keyNamedGroup.name)) {
+                            return true;
+                        }
+                    }
+                }
+            }
+        }
+
+        return false;
+    }
+
 }