Skip to content

Commit

Permalink
8311596: Add separate system properties for TLS server and client for…
Browse files Browse the repository at this point in the history
… maximum chain length

Reviewed-by: jnimeh, weijun, mullan
  • Loading branch information
Hai-May Chao committed Oct 31, 2023
1 parent 3a7525d commit 0064cf9
Show file tree
Hide file tree
Showing 2 changed files with 68 additions and 9 deletions.
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
* Copyright (c) 2015, 2022, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2015, 2023, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
Expand Down Expand Up @@ -130,12 +130,16 @@ static final class T12CertificateMessage extends HandshakeMessage {
byte[] encodedCert = Record.getBytes24(m);
listLen -= (3 + encodedCert.length);
encodedCerts.add(encodedCert);
if (encodedCerts.size() > SSLConfiguration.maxCertificateChainLength) {
int maxAllowedChainLength = handshakeContext.sslConfig.isClientMode ?
SSLConfiguration.maxInboundServerCertChainLen :
SSLConfiguration.maxInboundClientCertChainLen;

if (encodedCerts.size() > maxAllowedChainLength) {
throw new SSLProtocolException(
"The certificate chain length ("
+ encodedCerts.size()
+ ") exceeds the maximum allowed length ("
+ SSLConfiguration.maxCertificateChainLength
+ maxAllowedChainLength
+ ")");
}

Expand Down Expand Up @@ -861,12 +865,16 @@ static final class T13CertificateMessage extends HandshakeMessage {
SSLExtensions extensions =
new SSLExtensions(this, m, enabledExtensions);
certList.add(new CertificateEntry(encodedCert, extensions));
if (certList.size() > SSLConfiguration.maxCertificateChainLength) {
int maxAllowedChainLength = handshakeContext.sslConfig.isClientMode ?
SSLConfiguration.maxInboundServerCertChainLen :
SSLConfiguration.maxInboundClientCertChainLen;

if (certList.size() > maxAllowedChainLength) {
throw new SSLProtocolException(
"The certificate chain length ("
+ certList.size()
+ ") exceeds the maximum allowed length ("
+ SSLConfiguration.maxCertificateChainLength
+ maxAllowedChainLength
+ ")");
}
}
Expand Down
59 changes: 55 additions & 4 deletions src/java.base/share/classes/sun/security/ssl/SSLConfiguration.java
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
* Copyright (c) 2018, 2022, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2018, 2023, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
Expand Down Expand Up @@ -108,9 +108,11 @@ final class SSLConfiguration implements Cloneable {
static final int maxHandshakeMessageSize = GetIntegerAction.privilegedGetProperty(
"jdk.tls.maxHandshakeMessageSize", 32768);

// Set the max certificate chain length to 10
static final int maxCertificateChainLength = GetIntegerAction.privilegedGetProperty(
"jdk.tls.maxCertificateChainLength", 10);
// Limit the certificate chain length accepted from clients
static final int maxInboundClientCertChainLen;

// Limit the certificate chain length accepted from servers
static final int maxInboundServerCertChainLen;

// To switch off the supported_groups extension for DHE cipher suite.
static final boolean enableFFDHE =
Expand All @@ -133,6 +135,55 @@ final class SSLConfiguration implements Cloneable {
useExtendedMasterSecret = supportExtendedMasterSecret;
}

static {
boolean globalPropSet = false;

// jdk.tls.maxCertificateChainLength property has no default
Integer maxCertificateChainLength = GetIntegerAction.privilegedGetProperty(
"jdk.tls.maxCertificateChainLength");
if (maxCertificateChainLength != null && maxCertificateChainLength >= 0) {
globalPropSet = true;
}

/*
* If either jdk.tls.server.maxInboundCertificateChainLength or
* jdk.tls.client.maxInboundCertificateChainLength is set, it will
* override jdk.tls.maxCertificateChainLength, regardless of whether
* jdk.tls.maxCertificateChainLength is set or not.
* If neither jdk.tls.server.maxInboundCertificateChainLength nor
* jdk.tls.client.maxInboundCertificateChainLength is set, the behavior
* depends on the setting of jdk.tls.maxCertificateChainLength. If
* jdk.tls.maxCertificateChainLength is set, it falls back to that
* value; otherwise, it defaults to 8 for
* jdk.tls.server.maxInboundCertificateChainLength
* and 10 for jdk.tls.client.maxInboundCertificateChainLength.
* Users can independently set either
* jdk.tls.server.maxInboundCertificateChainLength or
* jdk.tls.client.maxInboundCertificateChainLength.
*/
Integer inboundClientLen = GetIntegerAction.privilegedGetProperty(
"jdk.tls.server.maxInboundCertificateChainLength");

// Default for jdk.tls.server.maxInboundCertificateChainLength is 8
if (inboundClientLen == null || inboundClientLen < 0) {
maxInboundClientCertChainLen = globalPropSet ?
maxCertificateChainLength : 8;
} else {
maxInboundClientCertChainLen = inboundClientLen;
}

Integer inboundServerLen = GetIntegerAction.privilegedGetProperty(
"jdk.tls.client.maxInboundCertificateChainLength");

// Default for jdk.tls.client.maxInboundCertificateChainLength is 10
if (inboundServerLen == null || inboundServerLen < 0) {
maxInboundServerCertChainLen = globalPropSet ?
maxCertificateChainLength : 10;
} else {
maxInboundServerCertChainLen = inboundServerLen;
}
}

SSLConfiguration(SSLContextImpl sslContext, boolean isClientMode) {

// Configurations with SSLParameters, default values.
Expand Down

1 comment on commit 0064cf9

@openjdk-notifier
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please sign in to comment.