On 7/8/2019 8:45 AM, Sean Mullan wrote:
A couple of comments/question so far (not done reviewing)
- Please change all instances of "Restric" to "Restrict" (proper
spelling) in the bug summary and names of tests, etc
I will do it.
- It looks like you have enhanced jdk.tls.disabledAlgorithms to allow
you to restrict named groups. I think that would make this an RFE, which
will require a CSR and special approval to get into JDK 13. Do you
really need this to implement the fix?
Named groups is a part of the signature algorithms for TLS 1.3. For
example for signature algorithm ecdsa_secp256r1_sha256, "secp256r1" is
the named groups part. It is simple to restrict named groups and
signature algorithm in one update.
We can go as an RFE for JDK 14. But I would prefer to have it in JDK 13
so that applications could disable RSASSA-PSS and the certificate
selection could be more robust.
As this does not change the public APIs and specs, I think it might be
fine to go with a bug fix for JDK 13 without a CSR.
If not, I would separate that
part out and target it to JDK 14. Also, why haven't you updated the
definition of jdk.tls.disabledAlgorithms to include named groups?
The named groups will be documented in the Standard Algorithms
Documentation. I think it is sufficient.
I'm fine to make it an RFE in JDK 14 if you want a CSR. We could
backport it later if necessary.
Thanks,
Xuelei
Thanks,
Sean
On 7/7/19 11:00 PM, Xuelei Fan wrote:
ping ...
On 6/28/2019 1:41 PM, Xuelei Fan wrote:
Hi,
Could I get the following update reviewed?
http://cr.openjdk.java.net/~xuelei/8226374/webrev.00/
During handshaking, the selection of signature algorithms was not
checked with the algorithm constraints. Then the available signature
algorithms may be ignored if a restricted algorithm get selected.
The connection should be able to be established as there are
available algorithms.
Within this update, more algorithm constraints checking are
introduced in the signature algorithms and named groups code.
The significant changes are in NamedGroup.java and
SignatureScheme.java, in order to introduce the checking and
algorithm parameters and specs.
Thanks,
Xuelei
