--- a/src/java.base/share/classes/sun/security/ssl/SupportedGroupsExtension.java Mon Aug 12 23:37:48 2019 +0200
+++ b/src/java.base/share/classes/sun/security/ssl/SupportedGroupsExtension.java Mon Aug 12 21:36:29 2019 -0700
@@ -28,20 +28,15 @@
import java.io.IOException;
import java.nio.ByteBuffer;
import java.security.AlgorithmConstraints;
-import java.security.AlgorithmParameters;
-import java.security.CryptoPrimitive;
-import java.security.spec.ECGenParameterSpec;
-import java.security.spec.InvalidParameterSpecException;
import java.text.MessageFormat;
import java.util.ArrayList;
import java.util.Collections;
-import java.util.EnumSet;
import java.util.LinkedList;
import java.util.List;
import java.util.Locale;
import javax.net.ssl.SSLProtocolException;
import sun.security.action.GetPropertyAction;
-import sun.security.ssl.NamedGroup.NamedGroupType;
+import sun.security.ssl.NamedGroup.NamedGroupSpec;
import static sun.security.ssl.SSLExtension.CH_SUPPORTED_GROUPS;
import static sun.security.ssl.SSLExtension.EE_SUPPORTED_GROUPS;
import sun.security.ssl.SSLExtension.ExtensionConsumer;
@@ -188,7 +183,7 @@
if (!group.isEmpty()) {
NamedGroup namedGroup = NamedGroup.nameOf(group);
if (namedGroup != null) {
- if (isAvailableGroup(namedGroup)) {
+ if (namedGroup.isAvailable) {
groupList.add(namedGroup);
}
} // ignore unknown groups
@@ -235,7 +230,7 @@
groupList = new ArrayList<>(groups.length);
for (NamedGroup group : groups) {
- if (isAvailableGroup(group)) {
+ if (group.isAvailable) {
groupList.add(group);
}
}
@@ -253,48 +248,19 @@
}
}
- // check whether the group is supported by the underlying providers
- private static boolean isAvailableGroup(NamedGroup namedGroup) {
- return namedGroup.isAvailableGroup();
- }
-
- static ECGenParameterSpec getECGenParamSpec(NamedGroup ng) {
- if (ng.type != NamedGroupType.NAMED_GROUP_ECDHE) {
- throw new RuntimeException(
- "Not a named EC group: " + ng);
- }
-
- // parameters are non-null
- AlgorithmParameters params = ng.getParameters();
- try {
- return params.getParameterSpec(ECGenParameterSpec.class);
- } catch (InvalidParameterSpecException ipse) {
- // should be unlikely
- return new ECGenParameterSpec(ng.oid);
- }
- }
-
- static AlgorithmParameters getParameters(NamedGroup ng) {
- return ng.getParameters();
- }
-
// Is there any supported group permitted by the constraints?
static boolean isActivatable(
- AlgorithmConstraints constraints, NamedGroupType type) {
+ AlgorithmConstraints constraints, NamedGroupSpec type) {
boolean hasFFDHEGroups = false;
for (NamedGroup namedGroup : supportedNamedGroups) {
- if (namedGroup.type == type) {
- if (constraints.permits(
- EnumSet.of(CryptoPrimitive.KEY_AGREEMENT),
- namedGroup.algorithm,
- getParameters(namedGroup))) {
-
+ if (namedGroup.isAvailable && namedGroup.spec == type) {
+ if (namedGroup.isPermitted(constraints)) {
return true;
}
if (!hasFFDHEGroups &&
- (type == NamedGroupType.NAMED_GROUP_FFDHE)) {
+ (type == NamedGroupSpec.NAMED_GROUP_FFDHE)) {
hasFFDHEGroups = true;
}
}
@@ -306,20 +272,17 @@
//
// Note that the constraints checking on DHE parameters will be
// performed during key exchanging in a handshake.
- return !hasFFDHEGroups && type == NamedGroupType.NAMED_GROUP_FFDHE;
+ return !hasFFDHEGroups && type == NamedGroupSpec.NAMED_GROUP_FFDHE;
}
// Is the named group permitted by the constraints?
static boolean isActivatable(
AlgorithmConstraints constraints, NamedGroup namedGroup) {
- if (!isSupported(namedGroup)) {
+ if (!namedGroup.isAvailable || !isSupported(namedGroup)) {
return false;
}
- return constraints.permits(
- EnumSet.of(CryptoPrimitive.KEY_AGREEMENT),
- namedGroup.algorithm,
- getParameters(namedGroup));
+ return namedGroup.isPermitted(constraints);
}
// Is the named group supported?
@@ -335,16 +298,13 @@
static NamedGroup getPreferredGroup(
ProtocolVersion negotiatedProtocol,
- AlgorithmConstraints constraints, NamedGroupType[] types,
+ AlgorithmConstraints constraints, NamedGroupSpec[] types,
List<NamedGroup> requestedNamedGroups) {
for (NamedGroup namedGroup : requestedNamedGroups) {
- if ((NamedGroupType.arrayContains(types, namedGroup.type)) &&
+ if ((NamedGroupSpec.arrayContains(types, namedGroup.spec)) &&
namedGroup.isAvailable(negotiatedProtocol) &&
isSupported(namedGroup) &&
- constraints.permits(
- EnumSet.of(CryptoPrimitive.KEY_AGREEMENT),
- namedGroup.algorithm,
- getParameters(namedGroup))) {
+ namedGroup.isPermitted(constraints)) {
return namedGroup;
}
}
@@ -354,14 +314,11 @@
static NamedGroup getPreferredGroup(
ProtocolVersion negotiatedProtocol,
- AlgorithmConstraints constraints, NamedGroupType[] types) {
+ AlgorithmConstraints constraints, NamedGroupSpec[] types) {
for (NamedGroup namedGroup : supportedNamedGroups) {
- if ((NamedGroupType.arrayContains(types, namedGroup.type)) &&
+ if ((NamedGroupSpec.arrayContains(types, namedGroup.spec)) &&
namedGroup.isAvailable(negotiatedProtocol) &&
- constraints.permits(
- EnumSet.of(CryptoPrimitive.KEY_AGREEMENT),
- namedGroup.algorithm,
- getParameters(namedGroup))) {
+ namedGroup.isPermitted(constraints)) {
return namedGroup;
}
}
@@ -401,15 +358,13 @@
new ArrayList<>(SupportedGroups.supportedNamedGroups.length);
for (NamedGroup ng : SupportedGroups.supportedNamedGroups) {
if ((!SupportedGroups.enableFFDHE) &&
- (ng.type == NamedGroupType.NAMED_GROUP_FFDHE)) {
+ (ng.spec == NamedGroupSpec.NAMED_GROUP_FFDHE)) {
continue;
}
if (ng.isAvailable(chc.activeProtocols) &&
ng.isSupported(chc.activeCipherSuites) &&
- chc.algorithmConstraints.permits(
- EnumSet.of(CryptoPrimitive.KEY_AGREEMENT),
- ng.algorithm, getParameters(ng))) {
+ ng.isPermitted(chc.algorithmConstraints)) {
namedGroups.add(ng);
} else if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
SSLLogger.fine(
@@ -528,15 +483,13 @@
SupportedGroups.supportedNamedGroups.length);
for (NamedGroup ng : SupportedGroups.supportedNamedGroups) {
if ((!SupportedGroups.enableFFDHE) &&
- (ng.type == NamedGroupType.NAMED_GROUP_FFDHE)) {
+ (ng.spec == NamedGroupSpec.NAMED_GROUP_FFDHE)) {
continue;
}
if (ng.isAvailable(shc.activeProtocols) &&
ng.isSupported(shc.activeCipherSuites) &&
- shc.algorithmConstraints.permits(
- EnumSet.of(CryptoPrimitive.KEY_AGREEMENT),
- ng.algorithm, getParameters(ng))) {
+ ng.isPermitted(shc.algorithmConstraints)) {
namedGroups.add(ng);
} else if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
SSLLogger.fine(