--- a/jdk/src/java.base/share/classes/sun/security/ssl/ClientHandshaker.java Tue Apr 21 20:33:34 2015 +0100
+++ b/jdk/src/java.base/share/classes/sun/security/ssl/ClientHandshaker.java Wed Apr 22 05:09:54 2015 +0000
@@ -723,6 +723,14 @@
// NOTREACHED
}
ephemeralServerKey = mesg.getPublicKey();
+
+ // check constraints of RSA PublicKey
+ if (!algorithmConstraints.permits(
+ EnumSet.of(CryptoPrimitive.KEY_AGREEMENT), ephemeralServerKey)) {
+
+ throw new SSLHandshakeException("RSA ServerKeyExchange " +
+ "does not comply to algorithm constraints");
+ }
}
/*
@@ -739,6 +747,9 @@
dh = new DHCrypt(mesg.getModulus(), mesg.getBase(),
sslContext.getSecureRandom());
serverDH = mesg.getServerPublicKey();
+
+ // check algorithm constraints
+ dh.checkConstraints(algorithmConstraints, serverDH);
}
private void serverKeyExchange(ECDH_ServerKeyExchange mesg)
@@ -749,6 +760,14 @@
ECPublicKey key = mesg.getPublicKey();
ecdh = new ECDHCrypt(key.getParams(), sslContext.getSecureRandom());
ephemeralServerKey = key;
+
+ // check constraints of EC PublicKey
+ if (!algorithmConstraints.permits(
+ EnumSet.of(CryptoPrimitive.KEY_AGREEMENT), ephemeralServerKey)) {
+
+ throw new SSLHandshakeException("ECDH ServerKeyExchange " +
+ "does not comply to algorithm constraints");
+ }
}
/*