8242141: New System Properties to configure the TLS signature schemes

Reviewed-by: ascarpino, jnimeh, mullan

8242141: New System Properties to configure the TLS signature schemes
Reviewed-by: ascarpino, jnimeh, mullan
b3991477 · xuelei · b414dda5 · b3991477 · b3991477 · b3991477
11 changed file
--- a/src/java.base/share/classes/sun/security/ssl/CertSignAlgsExtension.java
+++ b/src/java.base/share/classes/sun/security/ssl/CertSignAlgsExtension.java
@@ -99,6 +99,7 @@ final class CertSignAlgsExtension {
            if (chc.localSupportedSignAlgs == null) {
                chc.localSupportedSignAlgs =
                    SignatureScheme.getSupportedAlgorithms(
+                            chc.sslConfig,
                            chc.algorithmConstraints, chc.activeProtocols);
            }

@@ -192,6 +193,7 @@ final class CertSignAlgsExtension {
            // update the context
            List<SignatureScheme> schemes =
                    SignatureScheme.getSupportedAlgorithms(
+                            shc.sslConfig,
                            shc.algorithmConstraints, shc.negotiatedProtocol,
                            spec.signatureSchemes);
            shc.peerRequestedCertSignSchemes = schemes;
@@ -244,6 +246,7 @@ final class CertSignAlgsExtension {
            // Produce the extension.
            List<SignatureScheme> sigAlgs =
                    SignatureScheme.getSupportedAlgorithms(
+                            shc.sslConfig,
                            shc.algorithmConstraints,
                            List.of(shc.negotiatedProtocol));

@@ -335,6 +338,7 @@ final class CertSignAlgsExtension {
            // update the context
            List<SignatureScheme> schemes =
                    SignatureScheme.getSupportedAlgorithms(
+                            chc.sslConfig,
                            chc.algorithmConstraints, chc.negotiatedProtocol,
                            spec.signatureSchemes);
            chc.peerRequestedCertSignSchemes = schemes;

--- a/src/java.base/share/classes/sun/security/ssl/CertificateRequest.java
+++ b/src/java.base/share/classes/sun/security/ssl/CertificateRequest.java
@@ -601,6 +601,7 @@ final class CertificateRequest {
            if (shc.localSupportedSignAlgs == null) {
                shc.localSupportedSignAlgs =
                    SignatureScheme.getSupportedAlgorithms(
+                            shc.sslConfig,
                            shc.algorithmConstraints, shc.activeProtocols);
            }


--- a/src/java.base/share/classes/sun/security/ssl/PreSharedKeyExtension.java
+++ b/src/java.base/share/classes/sun/security/ssl/PreSharedKeyExtension.java
@@ -422,6 +422,7 @@ final class PreSharedKeyExtension {
        if (shc.localSupportedSignAlgs == null) {
            shc.localSupportedSignAlgs =
                    SignatureScheme.getSupportedAlgorithms(
+                            shc.sslConfig,
                            shc.algorithmConstraints, shc.activeProtocols);
        }


--- a/src/java.base/share/classes/sun/security/ssl/SSLConfiguration.java
+++ b/src/java.base/share/classes/sun/security/ssl/SSLConfiguration.java
@@ -42,6 +42,7 @@ import javax.net.ssl.SNIServerName;
 import javax.net.ssl.SSLEngine;
 import javax.net.ssl.SSLParameters;
 import javax.net.ssl.SSLSocket;
+import sun.security.action.GetPropertyAction;
 import sun.security.ssl.SSLExtension.ClientExtensions;
 import sun.security.ssl.SSLExtension.ServerExtensions;

@@ -62,6 +63,10 @@ final class SSLConfiguration implements Cloneable {
    boolean                     enableRetransmissions;
    int                         maximumPacketSize;

+    // The configured signature schemes for "signature_algorithms" and
+    // "signature_algorithms_cert" extensions
+    List<SignatureScheme>       signatureSchemes;
+
    // the maximum protocol version of enabled protocols
    ProtocolVersion             maximumProtocolVersion;

@@ -132,6 +137,9 @@ final class SSLConfiguration implements Cloneable {
        this.enableRetransmissions = sslContext.isDTLS();
        this.maximumPacketSize = 0;         // please reset it explicitly later

+        this.signatureSchemes = isClientMode ?
+                CustomizedClientSignatureSchemes.signatureSchemes :
+                CustomizedServerSignatureSchemes.signatureSchemes;
        this.maximumProtocolVersion = ProtocolVersion.NONE;
        for (ProtocolVersion pv : enabledProtocols) {
            if (pv.compareTo(maximumProtocolVersion) > 0) {
@@ -382,6 +390,15 @@ final class SSLConfiguration implements Cloneable {
        return extensions.toArray(new SSLExtension[0]);
    }

+    void toggleClientMode() {
+        this.isClientMode ^= true;
+
+        // reset the signature schemes
+        this.signatureSchemes = isClientMode ?
+                CustomizedClientSignatureSchemes.signatureSchemes :
+                CustomizedServerSignatureSchemes.signatureSchemes;
+    }
+
    @Override
    @SuppressWarnings({"unchecked", "CloneDeclaresCloneNotSupported"})
    public Object clone() {
@@ -401,4 +418,72 @@ final class SSLConfiguration implements Cloneable {

        return null;    // unlikely
    }
+
+
+    // lazy initialization holder class idiom for static default parameters
+    //
+    // See Effective Java Second Edition: Item 71.
+    private static final class CustomizedClientSignatureSchemes {
+        private static List<SignatureScheme> signatureSchemes =
+                getCustomizedSignatureScheme("jdk.tls.client.SignatureSchemes");
+    }
+
+    // lazy initialization holder class idiom for static default parameters
+    //
+    // See Effective Java Second Edition: Item 71.
+    private static final class CustomizedServerSignatureSchemes {
+        private static List<SignatureScheme> signatureSchemes =
+                getCustomizedSignatureScheme("jdk.tls.server.SignatureSchemes");
+    }
+
+    /*
+     * Get the customized signature schemes specified by the given
+     * system property.
+     */
+    private static List<SignatureScheme> getCustomizedSignatureScheme(
+            String propertyName) {
+
+        String property = GetPropertyAction.privilegedGetProperty(propertyName);
+        if (SSLLogger.isOn && SSLLogger.isOn("ssl,sslctx")) {
+            SSLLogger.fine(
+                    "System property " + propertyName + " is set to '" +
+                    property + "'");
+        }
+        if (property != null && !property.isEmpty()) {
+            // remove double quote marks from beginning/end of the property
+            if (property.length() > 1 && property.charAt(0) == '"' &&
+                    property.charAt(property.length() - 1) == '"') {
+                property = property.substring(1, property.length() - 1);
+            }
+        }
+
+        if (property != null && !property.isEmpty()) {
+            String[] signatureSchemeNames = property.split(",");
+            List<SignatureScheme> signatureSchemes =
+                        new ArrayList<>(signatureSchemeNames.length);
+            for (int i = 0; i < signatureSchemeNames.length; i++) {
+                signatureSchemeNames[i] = signatureSchemeNames[i].trim();
+                if (signatureSchemeNames[i].isEmpty()) {
+                    continue;
+                }
+
+                SignatureScheme scheme =
+                    SignatureScheme.nameOf(signatureSchemeNames[i]);
+                if (scheme != null && scheme.isAvailable) {
+                    signatureSchemes.add(scheme);
+                } else {
+                    if (SSLLogger.isOn && SSLLogger.isOn("ssl,sslctx")) {
+                        SSLLogger.fine(
+                                "The current installed providers do not " +
+                                "support signature scheme: " +
+                                signatureSchemeNames[i]);
+                    }
+                }
+            }
+
+            return signatureSchemes;
+        }
+
+        return Collections.emptyList();
+    }
 }
--- a/src/java.base/share/classes/sun/security/ssl/SSLServerSocketImpl.java
+++ b/src/java.base/share/classes/sun/security/ssl/SSLServerSocketImpl.java
@@ -62,7 +62,6 @@ final class SSLServerSocketImpl extends SSLServerSocket {
        super();
        this.sslContext = sslContext;
        this.sslConfig = new SSLConfiguration(sslContext, false);
-        this.sslConfig.isClientMode = false;
    }

    SSLServerSocketImpl(SSLContextImpl sslContext,
@@ -71,7 +70,6 @@ final class SSLServerSocketImpl extends SSLServerSocket {
        super(port, backlog);
        this.sslContext = sslContext;
        this.sslConfig = new SSLConfiguration(sslContext, false);
-        this.sslConfig.isClientMode = false;
    }

    SSLServerSocketImpl(SSLContextImpl sslContext,
@@ -80,7 +78,6 @@ final class SSLServerSocketImpl extends SSLServerSocket {
        super(port, backlog, address);
        this.sslContext = sslContext;
        this.sslConfig = new SSLConfiguration(sslContext, false);
-        this.sslConfig.isClientMode = false;
    }

    @Override
@@ -166,7 +163,7 @@ final class SSLServerSocketImpl extends SSLServerSocket {
                        sslContext.getDefaultCipherSuites(!useClientMode);
            }

-            sslConfig.isClientMode = useClientMode;
+            sslConfig.toggleClientMode();
        }
    }


--- a/src/java.base/share/classes/sun/security/ssl/ServerHello.java
+++ b/src/java.base/share/classes/sun/security/ssl/ServerHello.java
@@ -275,6 +275,7 @@ final class ServerHello {
                if (shc.localSupportedSignAlgs == null) {
                    shc.localSupportedSignAlgs =
                        SignatureScheme.getSupportedAlgorithms(
+                                shc.sslConfig,
                                shc.algorithmConstraints, shc.activeProtocols);
                }

@@ -503,6 +504,7 @@ final class ServerHello {
                if (shc.localSupportedSignAlgs == null) {
                    shc.localSupportedSignAlgs =
                        SignatureScheme.getSupportedAlgorithms(
+                                shc.sslConfig,
                                shc.algorithmConstraints, shc.activeProtocols);
                }


--- a/src/java.base/share/classes/sun/security/ssl/SignatureAlgorithmsExtension.java
+++ b/src/java.base/share/classes/sun/security/ssl/SignatureAlgorithmsExtension.java
@@ -185,6 +185,7 @@ final class SignatureAlgorithmsExtension {
            if (chc.localSupportedSignAlgs == null) {
                chc.localSupportedSignAlgs =
                    SignatureScheme.getSupportedAlgorithms(
+                            chc.sslConfig,
                            chc.algorithmConstraints, chc.activeProtocols);
            }

@@ -277,6 +278,7 @@ final class SignatureAlgorithmsExtension {
            // update the context
            List<SignatureScheme> sss =
                    SignatureScheme.getSupportedAlgorithms(
+                            shc.sslConfig,
                            shc.algorithmConstraints, shc.negotiatedProtocol,
                            spec.signatureSchemes);
            shc.peerRequestedSignatureSchemes = sss;
@@ -410,6 +412,7 @@ final class SignatureAlgorithmsExtension {
            // Produce the extension.
            List<SignatureScheme> sigAlgs =
                    SignatureScheme.getSupportedAlgorithms(
+                            shc.sslConfig,
                            shc.algorithmConstraints,
                            List.of(shc.negotiatedProtocol));

@@ -510,6 +513,7 @@ final class SignatureAlgorithmsExtension {
            // update the context
            List<SignatureScheme> sss =
                    SignatureScheme.getSupportedAlgorithms(
+                            chc.sslConfig,
                            chc.algorithmConstraints, chc.negotiatedProtocol,
                            spec.signatureSchemes);
            chc.peerRequestedSignatureSchemes = sss;

--- a/src/java.base/share/classes/sun/security/ssl/SignatureScheme.java
+++ b/src/java.base/share/classes/sun/security/ssl/SignatureScheme.java
@@ -339,6 +339,17 @@ enum SignatureScheme {
        return signName + "_" + hashName;
    }

+    // Note: the signatureSchemeName is not case-sensitive.
+    static SignatureScheme nameOf(String signatureSchemeName) {
+        for (SignatureScheme ss: SignatureScheme.values()) {
+            if (ss.name.equalsIgnoreCase(signatureSchemeName)) {
+                return ss;
+            }
+        }
+
+        return null;
+    }
+
    // Return the size of a SignatureScheme structure in TLS record
    static int sizeInRecord() {
        return 2;
@@ -347,11 +358,19 @@ enum SignatureScheme {
    // Get local supported algorithm collection complying to algorithm
    // constraints.
    static List<SignatureScheme> getSupportedAlgorithms(
+            SSLConfiguration config,
            AlgorithmConstraints constraints,
            List<ProtocolVersion> activeProtocols) {
        List<SignatureScheme> supported = new LinkedList<>();
        for (SignatureScheme ss: SignatureScheme.values()) {
-            if (!ss.isAvailable) {
+            if (!ss.isAvailable ||
+                    (!config.signatureSchemes.isEmpty() &&
+                        !config.signatureSchemes.contains(ss))) {
+                if (SSLLogger.isOn &&
+                        SSLLogger.isOn("ssl,handshake,verbose")) {
+                    SSLLogger.finest(
+                        "Ignore unsupported signature scheme: " + ss.name);
+                }
                continue;
            }

@@ -383,6 +402,7 @@ enum SignatureScheme {
    }

    static List<SignatureScheme> getSupportedAlgorithms(
+            SSLConfiguration config,
            AlgorithmConstraints constraints,
            ProtocolVersion protocolVersion, int[] algorithmIds) {
        List<SignatureScheme> supported = new LinkedList<>();
@@ -396,6 +416,8 @@ enum SignatureScheme {
                }
            } else if (ss.isAvailable &&
                    ss.supportedProtocols.contains(protocolVersion) &&
+                    (config.signatureSchemes.isEmpty() ||
+                        config.signatureSchemes.contains(ss)) &&
                    constraints.permits(SIGNATURE_PRIMITIVE_SET,
                           ss.algorithm, null)) {
                supported.add(ss);

--- a/src/java.base/share/classes/sun/security/ssl/TransportContext.java
+++ b/src/java.base/share/classes/sun/security/ssl/TransportContext.java
@@ -428,7 +428,7 @@ class TransportContext implements ConnectionContext {
                        sslContext.getDefaultCipherSuites(!useClientMode);
            }

-            sslConfig.isClientMode = useClientMode;
+            sslConfig.toggleClientMode();
        }

        isUnsureMode = false;

--- a/test/jdk/sun/security/ssl/SignatureScheme/CustomizedClientSchemes.java
+++ b/test/jdk/sun/security/ssl/SignatureScheme/CustomizedClientSchemes.java
+/*
+ * Copyright (c) 2020, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+//
+// SunJSSE does not support dynamic system properties, no way to re-use
+// system properties in samevm/agentvm mode.
+//
+
+/*
+ * @test
+ * @bug 8242141
+ * @summary New System Properties to configure the default signature schemes
+ * @library /javax/net/ssl/templates
+ * @run main/othervm CustomizedClientSchemes
+ */
+
+import javax.net.ssl.SSLException;
+
+public class CustomizedClientSchemes extends SSLSocketTemplate {
+
+    public static void main(String[] args) throws Exception {
+        System.setProperty("jdk.tls.client.SignatureSchemes", "rsa_pkcs1_sha1");
+
+        try {
+            new CustomizedClientSchemes().run();
+            throw new Exception(
+                "The jdk.tls.client.SignatureSchemes System Property " +
+                "does not work");
+        } catch (SSLException e) {
+            // Got the expected exception.
+        }
+    }
+}
--- a/test/jdk/sun/security/ssl/SignatureScheme/CustomizedServerSchemes.java
+++ b/test/jdk/sun/security/ssl/SignatureScheme/CustomizedServerSchemes.java
+/*
+ * Copyright (c) 2020, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+//
+// SunJSSE does not support dynamic system properties, no way to re-use
+// system properties in samevm/agentvm mode.
+//
+
+/*
+ * @test
+ * @bug 8242141
+ * @summary New System Properties to configure the default signature schemes
+ * @library /javax/net/ssl/templates
+ * @run main/othervm CustomizedServerSchemes
+ */
+
+import javax.net.ssl.SSLException;
+
+public class CustomizedServerSchemes extends SSLSocketTemplate {
+
+    public static void main(String[] args) throws Exception {
+        System.setProperty("jdk.tls.server.SignatureSchemes", "rsa_pkcs1_sha1");
+
+        try {
+            new CustomizedServerSchemes().run();
+            throw new Exception(
+                "The jdk.tls.server.SignatureSchemes System Property " +
+                "does not work");
+        } catch (SSLException e) {
+            // Got the expected exception.
+        }
+    }
+}