Skip to content

Commit

Permalink
8262186: Call X509KeyManager.chooseClientAlias once for all key types
Browse files Browse the repository at this point in the history
Reviewed-by: phh
Backport-of: 3d657eb0a626e33995af5d5ddf12b26d06317962
  • Loading branch information
GoeLin committed Nov 21, 2023
1 parent b7605b7 commit 2a37bae
Show file tree
Hide file tree
Showing 4 changed files with 310 additions and 171 deletions.
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
* Copyright (c) 2015, 2020, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2015, 2021, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
Expand Down Expand Up @@ -1043,6 +1043,7 @@ private static SSLPossession choosePossession(
}

Collection<String> checkedKeyTypes = new HashSet<>();
List<String> supportedKeyTypes = new ArrayList<>();
for (SignatureScheme ss : hc.peerRequestedCertSignSchemes) {
if (checkedKeyTypes.contains(ss.keyAlgorithm)) {
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
Expand All @@ -1051,6 +1052,7 @@ private static SSLPossession choosePossession(
}
continue;
}
checkedKeyTypes.add(ss.keyAlgorithm);

// Don't select a signature scheme unless we will be able to
// produce a CertificateVerify message later
Expand All @@ -1064,36 +1066,28 @@ private static SSLPossession choosePossession(
"Unable to produce CertificateVerify for " +
"signature scheme: " + ss.name);
}
checkedKeyTypes.add(ss.keyAlgorithm);
continue;
}

SSLAuthentication ka = X509Authentication.valueOf(ss);
X509Authentication ka = X509Authentication.valueOf(ss);
if (ka == null) {
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
SSLLogger.warning(
"Unsupported authentication scheme: " + ss.name);
}
checkedKeyTypes.add(ss.keyAlgorithm);
continue;
}

SSLPossession pos = ka.createPossession(hc);
if (pos == null) {
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
SSLLogger.warning(
"Unavailable authentication scheme: " + ss.name);
}
continue;
}

return pos;
supportedKeyTypes.add(ss.keyAlgorithm);
}

if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
SSLLogger.warning("No available authentication scheme");
SSLPossession pos = X509Authentication
.createPossession(hc, supportedKeyTypes.toArray(String[]::new));
if (pos == null) {
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
SSLLogger.warning("No available authentication scheme");
}
}
return null;
return pos;
}

private byte[] onProduceCertificate(ClientHandshakeContext chc,
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,6 @@
import sun.security.ssl.CipherSuite.KeyExchange;
import sun.security.ssl.SSLHandshake.HandshakeMessage;
import sun.security.ssl.X509Authentication.X509Possession;
import sun.security.ssl.X509Authentication.X509PossessionGenerator;

/**
* Pack of the CertificateRequest handshake message.
Expand Down Expand Up @@ -726,10 +725,11 @@ public void consume(ConnectionContext context,
chc.handshakeSession.setPeerSupportedSignatureAlgorithms(sss);
chc.peerSupportedAuthorities = crm.getAuthorities();

// For TLS 1.2, we need to use a combination of the CR message's
// allowed key types and the signature algorithms in order to
// find a certificate chain that has the right key and all certs
// using one or more of the allowed cert signature schemes.
// For TLS 1.2, we no longer use the certificate_types field
// from the CertificateRequest message to directly determine
// the SSLPossession. Instead, the choosePossession method
// will use the accepted signature schemes in the message to
// determine the set of acceptable certificate types to select from.
SSLPossession pos = choosePossession(chc, crm);
if (pos == null) {
return;
Expand Down Expand Up @@ -761,6 +761,7 @@ private static SSLPossession choosePossession(HandshakeContext hc,
}

Collection<String> checkedKeyTypes = new HashSet<>();
List<String> supportedKeyTypes = new ArrayList<>();
for (SignatureScheme ss : hc.peerRequestedCertSignSchemes) {
if (checkedKeyTypes.contains(ss.keyAlgorithm)) {
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
Expand All @@ -769,6 +770,7 @@ private static SSLPossession choosePossession(HandshakeContext hc,
}
continue;
}
checkedKeyTypes.add(ss.keyAlgorithm);

// Don't select a signature scheme unless we will be able to
// produce a CertificateVerify message later
Expand All @@ -782,7 +784,6 @@ private static SSLPossession choosePossession(HandshakeContext hc,
"Unable to produce CertificateVerify for " +
"signature scheme: " + ss.name);
}
checkedKeyTypes.add(ss.keyAlgorithm);
continue;
}

Expand All @@ -792,45 +793,32 @@ private static SSLPossession choosePossession(HandshakeContext hc,
SSLLogger.warning(
"Unsupported authentication scheme: " + ss.name);
}
checkedKeyTypes.add(ss.keyAlgorithm);
continue;
} else {
// Any auth object will have a possession generator and
// we need to make sure the key types for that generator
// share at least one common algorithm with the CR's
// allowed key types.
if (ka.possessionGenerator instanceof
X509PossessionGenerator xpg) {
if (Collections.disjoint(crKeyTypes,
Arrays.asList(xpg.keyTypes))) {
if (SSLLogger.isOn &&
SSLLogger.isOn("ssl,handshake")) {
SSLLogger.warning(
"Unsupported authentication scheme: " +
ss.name);
}
checkedKeyTypes.add(ss.keyAlgorithm);
continue;
// Any auth object will have a set of allowed key types.
// This set should share at least one common algorithm with
// the CR's allowed key types.
if (Collections.disjoint(crKeyTypes,
Arrays.asList(ka.keyTypes))) {
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
SSLLogger.warning(
"Unsupported authentication scheme: " +
ss.name);
}
continue;
}
}

SSLPossession pos = ka.createPossession(hc);
if (pos == null) {
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
SSLLogger.warning(
"Unavailable authentication scheme: " + ss.name);
}
continue;
}

return pos;
supportedKeyTypes.add(ss.keyAlgorithm);
}

if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
SSLLogger.warning("No available authentication scheme");
SSLPossession pos = X509Authentication
.createPossession(hc, supportedKeyTypes.toArray(String[]::new));
if (pos == null) {
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
SSLLogger.warning("No available authentication scheme");
}
}
return null;
return pos;
}
}

Expand Down

1 comment on commit 2a37bae

@openjdk-notifier
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please sign in to comment.