TLSv1.2 CertificateRequest could fail fast if no common signature sch…

…eme and add two tests for TLSv1.2 and TLSv1.3 respectively
openjdk · Mar 16, 2021 · a0552d4 · a0552d4
1 parent bed8a7b
commit a0552d4
Show file tree

Hide file tree

Showing 5 changed files with 485 additions and 12 deletions.
diff --git a/src/java.base/share/classes/sun/security/ssl/CertificateRequest.java b/src/java.base/share/classes/sun/security/ssl/CertificateRequest.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2015, 2020, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2015, 2021, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -689,13 +689,16 @@ public void consume(ConnectionContext context,
             chc.handshakeProducers.put(SSLHandshake.CERTIFICATE.id,
                     SSLHandshake.CERTIFICATE);
 
-            List<SignatureScheme> sss = new LinkedList<>();
-            for (int id : crm.algorithmIds) {
-                SignatureScheme ss = SignatureScheme.valueOf(id);
-                if (ss != null) {
-                    sss.add(ss);
-                }
+            List<SignatureScheme> sss =
+                    SignatureScheme.getSupportedAlgorithms(
+                            chc.sslConfig,
+                            chc.algorithmConstraints, chc.negotiatedProtocol,
+                            crm.algorithmIds);
+            if (sss == null || sss.isEmpty()) {
+                throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                        "No supported signature algorithm");
             }
+
             chc.peerRequestedSignatureSchemes = sss;
             chc.peerRequestedCertSignSchemes = sss;     // use the same schemes
             chc.handshakeSession.setPeerSupportedSignatureAlgorithms(sss);

diff --git a/test/jdk/javax/net/ssl/templates/SSLContextTemplate.java b/test/jdk/javax/net/ssl/templates/SSLContextTemplate.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2018, 2020, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2018, 2021, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -478,7 +478,7 @@ private SSLContext createSSLContext(
     /*
      * Create an instance of KeyManager with the specified key materials.
      */
-    private KeyManager createKeyManager(
+    static KeyManager createKeyManager(
             String[] keyMaterialCerts,
             String[] keyMaterialKeys,
             String[] keyMaterialKeyAlgs,
@@ -534,7 +534,7 @@ private KeyManager createKeyManager(
     /*
      * Create an instance of TrustManager with the specified trust materials.
      */
-    private TrustManager createTrustManager(
+    static TrustManager createTrustManager(
             String[] trustedMaterials,
             ContextParameters params) throws Exception {
 

diff --git a/test/jdk/javax/net/ssl/templates/SSLEngineTemplate.java b/test/jdk/javax/net/ssl/templates/SSLEngineTemplate.java
@@ -197,7 +197,7 @@ private void runTest() throws Exception {
         }
     }
 
-    private static boolean isOpen(SSLEngine engine) {
+    static boolean isOpen(SSLEngine engine) {
         return (!engine.isOutboundDone() || !engine.isInboundDone());
     }
 
@@ -240,7 +240,7 @@ protected static void runDelegatedTasks(SSLEngine engine) throws Exception {
     }
 
     // Simple check to make sure everything came across as expected.
-    private static void checkTransfer(ByteBuffer a, ByteBuffer b)
+    static void checkTransfer(ByteBuffer a, ByteBuffer b)
             throws Exception {
         a.flip();
         b.flip();