RFR: JDK-8263188: JSSE should fail fast if there isn't supported signature algorithm

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

RFR: JDK-8263188: JSSE should fail fast if there isn't supported signature algorithm

John Jiang
If signature_algorithms extension is present, but the algorithms are unreconginzed or unsupported, JSSE peers should send fatal alert immediately.
For example, in this case, it's unnecssary to try to produce ServerHello, Certificate and ServerKeyExchange messages.

-------------

Commit messages:
 - JDK-8263188: JSSE should fail fast if there isn't supported signature algorithm

Changes: https://git.openjdk.java.net/jdk/pull/2876/files
 Webrev: https://webrevs.openjdk.java.net/?repo=jdk&pr=2876&range=00
  Issue: https://bugs.openjdk.java.net/browse/JDK-8263188
  Stats: 9 lines in 1 file changed: 8 ins; 0 del; 1 mod
  Patch: https://git.openjdk.java.net/jdk/pull/2876.diff
  Fetch: git fetch https://git.openjdk.java.net/jdk pull/2876/head:pull/2876

PR: https://git.openjdk.java.net/jdk/pull/2876
Reply | Threaded
Open this post in threaded view
|

Re: RFR: JDK-8263188: JSSE should fail fast if there isn't supported signature algorithm [v2]

John Jiang
> If signature_algorithms extension is present, but the algorithms are unreconginzed or unsupported, JSSE peers should send fatal alert immediately.
> For example, in this case, it's unnecssary to try to produce ServerHello, Certificate and ServerKeyExchange messages.

John Jiang has updated the pull request incrementally with one additional commit since the last revision:

  TLSv1.2 CertificateRequest could fail fast if no common signature scheme and add two tests for TLSv1.2 and TLSv1.3 respectively

-------------

Changes:
  - all: https://git.openjdk.java.net/jdk/pull/2876/files
  - new: https://git.openjdk.java.net/jdk/pull/2876/files/bed8a7b7..a0552d45

Webrevs:
 - full: https://webrevs.openjdk.java.net/?repo=jdk&pr=2876&range=01
 - incr: https://webrevs.openjdk.java.net/?repo=jdk&pr=2876&range=00-01

  Stats: 485 lines in 5 files changed: 473 ins; 0 del; 12 mod
  Patch: https://git.openjdk.java.net/jdk/pull/2876.diff
  Fetch: git fetch https://git.openjdk.java.net/jdk pull/2876/head:pull/2876

PR: https://git.openjdk.java.net/jdk/pull/2876
Reply | Threaded
Open this post in threaded view
|

Re: RFR: JDK-8263188: JSSE should fail fast if there isn't supported signature algorithm

John Jiang
In reply to this post by John Jiang
On Mon, 8 Mar 2021 15:27:45 GMT, John Jiang <[hidden email]> wrote:

> If signature_algorithms extension is present, but the algorithms are unreconginzed or unsupported, JSSE peers should send fatal alert immediately.
> For example, in this case, it's unnecssary to try to produce ServerHello, Certificate and ServerKeyExchange messages.

Could this change be reviewed? Thanks!

-------------

PR: https://git.openjdk.java.net/jdk/pull/2876
Reply | Threaded
Open this post in threaded view
|

Re: RFR: JDK-8263188: JSSE should fail fast if there isn't supported signature algorithm [v2]

Xue-Lei Andrew Fan
In reply to this post by John Jiang
On Tue, 16 Mar 2021 23:21:40 GMT, John Jiang <[hidden email]> wrote:

>> If signature_algorithms extension is present, but the algorithms are unreconginzed or unsupported, JSSE peers should send fatal alert immediately.
>> For example, in this case, it's unnecssary to try to produce ServerHello, Certificate and ServerKeyExchange messages.
>
> John Jiang has updated the pull request incrementally with one additional commit since the last revision:
>
>   TLSv1.2 CertificateRequest could fail fast if no common signature scheme and add two tests for TLSv1.2 and TLSv1.3 respectively

Looks good to me.   Thanks!

-------------

Marked as reviewed by xuelei (Reviewer).

PR: https://git.openjdk.java.net/jdk/pull/2876
Reply | Threaded
Open this post in threaded view
|

Re: RFR: JDK-8263188: JSSE should fail fast if there isn't supported signature algorithm [v2]

John Jiang
On Mon, 29 Mar 2021 04:42:16 GMT, Xue-Lei Andrew Fan <[hidden email]> wrote:

>> John Jiang has updated the pull request incrementally with one additional commit since the last revision:
>>
>>   TLSv1.2 CertificateRequest could fail fast if no common signature scheme and add two tests for TLSv1.2 and TLSv1.3 respectively
>
> Looks good to me.   Thanks!

@XueleiFan Thanks for your review!
@jnimeh Thanks for your suggestion for writing the tests!

-------------

PR: https://git.openjdk.java.net/jdk/pull/2876
Reply | Threaded
Open this post in threaded view
|

Integrated: JDK-8263188: JSSE should fail fast if there isn't supported signature algorithm

John Jiang
In reply to this post by John Jiang
On Mon, 8 Mar 2021 15:27:45 GMT, John Jiang <[hidden email]> wrote:

> If signature_algorithms extension is present, but the algorithms are unreconginzed or unsupported, JSSE peers should send fatal alert immediately.
> For example, in this case, it's unnecssary to try to produce ServerHello, Certificate and ServerKeyExchange messages.

This pull request has now been integrated.

Changeset: 99b4bab3
Author:    John Jiang <[hidden email]>
URL:       https://git.openjdk.java.net/jdk/commit/99b4bab3
Stats:     494 lines in 6 files changed: 481 ins; 0 del; 13 mod

8263188: JSSE should fail fast if there isn't supported signature algorithm

Reviewed-by: xuelei

-------------

PR: https://git.openjdk.java.net/jdk/pull/2876