8263188: JSSE should fail fast if there isn't supported signature alg…

…orithm Reviewed-by: xuelei
openjdk · Mar 29, 2021 · 99b4bab · 99b4bab · openjdk-notifier · Mar 29, 2021
1 parent 6678b01
commit 99b4bab
Show file tree

Hide file tree

Showing 6 changed files with 494 additions and 13 deletions.
diff --git a/src/java.base/share/classes/sun/security/ssl/CertificateRequest.java b/src/java.base/share/classes/sun/security/ssl/CertificateRequest.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2015, 2020, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2015, 2021, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -689,13 +689,16 @@ public void consume(ConnectionContext context,
             chc.handshakeProducers.put(SSLHandshake.CERTIFICATE.id,
                     SSLHandshake.CERTIFICATE);
 
-            List<SignatureScheme> sss = new LinkedList<>();
-            for (int id : crm.algorithmIds) {
-                SignatureScheme ss = SignatureScheme.valueOf(id);
-                if (ss != null) {
-                    sss.add(ss);
-                }
+            List<SignatureScheme> sss =
+                    SignatureScheme.getSupportedAlgorithms(
+                            chc.sslConfig,
+                            chc.algorithmConstraints, chc.negotiatedProtocol,
+                            crm.algorithmIds);
+            if (sss == null || sss.isEmpty()) {
+                throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                        "No supported signature algorithm");
             }
+
             chc.peerRequestedSignatureSchemes = sss;
             chc.peerRequestedCertSignSchemes = sss;     // use the same schemes
             chc.handshakeSession.setPeerSupportedSignatureAlgorithms(sss);

diff --git a/src/java.base/share/classes/sun/security/ssl/SignatureAlgorithmsExtension.java b/src/java.base/share/classes/sun/security/ssl/SignatureAlgorithmsExtension.java
@@ -279,6 +279,10 @@ public void consume(ConnectionContext context,
                             shc.sslConfig,
                             shc.algorithmConstraints, shc.negotiatedProtocol,
                             spec.signatureSchemes);
+            if (sss == null || sss.isEmpty()) {
+                throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                        "No supported signature algorithm");
+            }
             shc.peerRequestedSignatureSchemes = sss;
 
             // If no "signature_algorithms_cert" extension is present, then
@@ -330,7 +334,7 @@ public void absent(ConnectionContext context,
             if (shc.negotiatedProtocol.useTLS13PlusSpec()) {
                 throw shc.conContext.fatal(Alert.MISSING_EXTENSION,
                     "No mandatory signature_algorithms extension in the " +
-                    "received CertificateRequest handshake message");
+                    "received ClientHello handshake message");
             }
         }
     }
@@ -503,6 +507,10 @@ public void consume(ConnectionContext context,
                             chc.sslConfig,
                             chc.algorithmConstraints, chc.negotiatedProtocol,
                             spec.signatureSchemes);
+            if (sss == null || sss.isEmpty()) {
+                throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                        "No supported signature algorithm");
+            }
             chc.peerRequestedSignatureSchemes = sss;
 
             // If no "signature_algorithms_cert" extension is present, then

diff --git a/test/jdk/javax/net/ssl/templates/SSLContextTemplate.java b/test/jdk/javax/net/ssl/templates/SSLContextTemplate.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2018, 2020, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2018, 2021, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -478,7 +478,7 @@ private SSLContext createSSLContext(
     /*
      * Create an instance of KeyManager with the specified key materials.
      */
-    private KeyManager createKeyManager(
+    static KeyManager createKeyManager(
             String[] keyMaterialCerts,
             String[] keyMaterialKeys,
             String[] keyMaterialKeyAlgs,
@@ -534,7 +534,7 @@ private KeyManager createKeyManager(
     /*
      * Create an instance of TrustManager with the specified trust materials.
      */
-    private TrustManager createTrustManager(
+    static TrustManager createTrustManager(
             String[] trustedMaterials,
             ContextParameters params) throws Exception {
 

diff --git a/test/jdk/javax/net/ssl/templates/SSLEngineTemplate.java b/test/jdk/javax/net/ssl/templates/SSLEngineTemplate.java
@@ -197,7 +197,7 @@ private void runTest() throws Exception {
         }
     }
 
-    private static boolean isOpen(SSLEngine engine) {
+    static boolean isOpen(SSLEngine engine) {
         return (!engine.isOutboundDone() || !engine.isInboundDone());
     }
 
@@ -240,7 +240,7 @@ protected static void runDelegatedTasks(SSLEngine engine) throws Exception {
     }
 
     // Simple check to make sure everything came across as expected.
-    private static void checkTransfer(ByteBuffer a, ByteBuffer b)
+    static void checkTransfer(ByteBuffer a, ByteBuffer b)
             throws Exception {
         a.flip();
         b.flip();