8359956: Support algorithm constraints and certificate checks in SunX509 key manager #25016
Conversation
…g checked with default SunX509 key manager
|
👋 Welcome back abarashev! A progress list of the required criteria for merging this PR into |
|
❗ This change is not yet ready to be integrated. |
|
@artur-oracle The following labels will be automatically applied to this pull request:
When this pull request is ready to be reviewed, an "RFR" email will be sent to the corresponding mailing lists. If you would like to change these labels, use the /label pull request command. |
openjdk
bot
added
security
Webrevs
|
|
It is nice to refactor the common code for algorithm constraints checking into a new class, |
@haimaychao Thanks for looking into it! Yes, it will disable constraints checking for both key managers and I did it this way on purpose. I think it will be simpler and less confusing to the end users. This system property is off by default and my assumption is that if end users want to disable KM algorithm constraints checking they would expect it to be disabled system-wide. @seanjmullan What do you think? |
|
/issue add JDK-8170706 |
|
@artur-oracle |
|
@AlanBateman |
test/jdk/sun/net/www/protocol/https/HttpsClient/ServerIdentityTest.java
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
I am trying to figure out when the algorithm constraints are enabled, why the key isn't being selected. I don't see anywhere that you are setting the algorithm constraints property.
Please add some more comments explaining how the exception case occurs.
There was a problem hiding this comment.
Hi @seanjmullan! This PR fixes both JDK-8353113 and JDK-8170706. So we have 2 new unit tests, one for each issue:
AlgorithmConstraintsCheck: tests JDK-8170706. BTW, I'm going to update the@bugtag in this test to8170706PeerConstraintsCheck: tests JDK-8353113. No need to set any algorithm constraints because we test against the peer supported certificate signatures sent to us in "signature_algorithms"/"signature_algorithms_cert" extensions. I'll add a comment to this test with the explanation.
There was a problem hiding this comment.
I see. You also have a 3rd: JDK-8359069. It's rare to see one PR fix multiple issues, even though skara supports it. I'm not sure I see specific advantages of having three separate issues instead of just one. Is it primarily because you see these as separate issues? In that case, does it make sense to fix this as 3 different issues in case one or more them needs to be selectively backported?
There was a problem hiding this comment.
Done: all 3 issues have been combined into one.
src/java.base/share/classes/sun/security/ssl/X509KeyManagerConstraints.java
Outdated
Show resolved
Hide resolved
I'd agree. As I mentioned in my earlier comment, if the new system property ends up toggling behavior in both |
|
/issue add JDK-8359069 |
|
@artur-oracle |
|
/issue remove JDK-8170706 |
|
@artur-oracle |
|
/issue remove JDK-8359069 |
|
@artur-oracle |
artur-oracle
changed the title
|
/issue add JDK-8359956 |
openjdk
bot
changed the title
|
@artur-oracle This issue is referenced in the PR title - it will now be updated. |
I made the toggle specific to SunX509 Key Manager as suggested. |
| System.setProperty( | ||
| "jdk.tls.SunX509keymanager.certSelectionChecking", "false"); |
There was a problem hiding this comment.
What if you instead just removed "RSA keySize < 1024" from the jdk.certpath.disabledAlgorithms security property - would this test still pass? This way you could still test the other parts of the cert selection code.
This same comment applies to other tests where you have set the jdk.tls.SunX509keymanager.certSelectionChecking property to false.
There was a problem hiding this comment.
Done, good point! It works for this particular test but the same approach doesn't work for other tests because they either rely on TrustManager do the constraints checks or MD5 algorithm being blocks by TLSv1.3 spec.
|
/csr |
|
Please create a CSR for the new system property. |
|
@seanjmullan has indicated that a compatibility and specification (CSR) request is needed for this pull request. @artur-oracle please create a CSR request for issue JDK-8359956 with the correct fix version. This pull request cannot be integrated until the CSR request is approved. |
SunX509 key manager should support the same certificate checks that are supported by PKIX key manager.
Effectively there should be only 2 differences between 2 key managers:
SUNX509 KeyManager performance before the change
Benchmark (resume) (tlsVersion) Mode Cnt Score Error Units
SSLHandshake.doHandshake true TLSv1.2 thrpt 15 19758.012 ± 758.237 ops/s
SSLHandshake.doHandshake true TLS thrpt 15 1861.695 ± 14.681 ops/s
SSLHandshake.doHandshake false TLSv1.2 thrpt 15 1186.962 ± 12.085 ops/s
SSLHandshake.doHandshake false TLS thrpt 15 1056.288 ± 7.197 ops/s
SUNX509 KeyManager performance after the change
Benchmark (resume) (tlsVersion) Mode Cnt Score Error Units
SSLHandshake.doHandshake true TLSv1.2 thrpt 15 20954.399 ± 260.817 ops/s
SSLHandshake.doHandshake true TLS thrpt 15 1813.401 ± 13.917 ops/s
SSLHandshake.doHandshake false TLSv1.2 thrpt 15 1158.190 ± 6.023 ops/s
SSLHandshake.doHandshake false TLS thrpt 15 1012.988 ± 10.943 ops/s
Progress
Issues
Reviewing
Using
gitCheckout this PR locally:
$ git fetch https://git.openjdk.org/jdk.git pull/25016/head:pull/25016$ git checkout pull/25016Update a local copy of the PR:
$ git checkout pull/25016$ git pull https://git.openjdk.org/jdk.git pull/25016/headUsing Skara CLI tools
Checkout this PR locally:
$ git pr checkout 25016View PR using the GUI difftool:
$ git pr show -t 25016Using diff file
Download this PR as a diff file:
https://git.openjdk.org/jdk/pull/25016.diff
Using Webrev
Link to Webrev Comment