BCJSSE: System props to disable DH default suites

- org.bouncycastle.jsse.client.dh.disableDefaultSuites (false)
- org.bouncycastle.jsse.server.dh.disableDefaultSuites (false)

Author: peterdettman

docs/releasenotes.html

@@ -64,6 +64,8 @@ <h3>2.1.3 Additional Features and Functionality</h3>
 <li>The NetscapeCertType class now has a hasUsages() method on it for querying usage settings on its bit string.</li>
 <li>Support for additional input has been added for deterministic (EC)DSA.</li>
 <li>The OpenPGP API provides better support for subkey generation.</li>
+<li>BCJSSE: Added boolean system properties "org.bouncycastle.jsse.client.dh.disableDefaultSuites" and "org.bouncycastle.jsse.server.dh.disableDefaultSuites".
+Default "false". Set to "true" to disable inclusion of DH cipher suites in the default cipher suites for client/server respectively.</li>
 </ul>
 <h3>2.1.4 Notes</h3>
 <ul>

tls/src/main/java/org/bouncycastle/jsse/provider/ProvSSLContextSpi.java

@@ -37,6 +37,7 @@
 import org.bouncycastle.jsse.java.security.BCCryptoPrimitive;
 import org.bouncycastle.tls.CipherSuite;
 import org.bouncycastle.tls.ProtocolVersion;
+import org.bouncycastle.tls.TlsDHUtils;
 import org.bouncycastle.tls.TlsUtils;
 import org.bouncycastle.tls.crypto.impl.jcajce.JcaTlsCrypto;
 import org.bouncycastle.tls.crypto.impl.jcajce.JcaTlsCryptoProvider;
@@ -327,15 +328,22 @@ private static Map<String, ProtocolVersion> createSupportedProtocolMapFips(
     }
 
     private static String[] getDefaultEnabledCipherSuites(Map<String, CipherSuiteInfo> supportedCipherSuiteMap,
-        String cipherSuitesPropertyName, List<String> defaultCipherSuiteList)
+        List<String> defaultCipherSuiteList, boolean disableDHDefaultSuites, String cipherSuitesPropertyName)
     {
         List<String> candidates = getJdkTlsCipherSuites(cipherSuitesPropertyName, defaultCipherSuiteList);
 
         String[] result = new String[candidates.size()];
         int count = 0;
         for (String candidate : candidates)
         {
-            if (!supportedCipherSuiteMap.containsKey(candidate))
+            CipherSuiteInfo cipherSuiteInfo = supportedCipherSuiteMap.get(candidate);
+            if (null == cipherSuiteInfo)
+            {
+                continue;
+            }
+            if (disableDHDefaultSuites &&
+                candidates == defaultCipherSuiteList &&
+                TlsDHUtils.isDHCipherSuite(cipherSuiteInfo.getCipherSuite()))
             {
                 continue;
             }
@@ -352,15 +360,21 @@ private static String[] getDefaultEnabledCipherSuites(Map<String, CipherSuiteInf
     private static String[] getDefaultEnabledCipherSuitesClient(Map<String, CipherSuiteInfo> supportedCipherSuiteMap,
         List<String> defaultCipherSuiteList)
     {
-        return getDefaultEnabledCipherSuites(supportedCipherSuiteMap, PROPERTY_CLIENT_CIPHERSUITES,
-            defaultCipherSuiteList);
+        boolean disableDHDefaultSuites = PropertyUtils
+            .getBooleanSystemProperty("org.bouncycastle.jsse.client.dh.disableDefaultSuites", false);
+
+        return getDefaultEnabledCipherSuites(supportedCipherSuiteMap, defaultCipherSuiteList, disableDHDefaultSuites,
+            PROPERTY_CLIENT_CIPHERSUITES);
     }
 
     private static String[] getDefaultEnabledCipherSuitesServer(Map<String, CipherSuiteInfo> supportedCipherSuiteMap,
         List<String> defaultCipherSuiteList)
     {
-        return getDefaultEnabledCipherSuites(supportedCipherSuiteMap, PROPERTY_SERVER_CIPHERSUITES,
-            defaultCipherSuiteList);
+        boolean disableDHDefaultSuites = PropertyUtils
+            .getBooleanSystemProperty("org.bouncycastle.jsse.server.dh.disableDefaultSuites", false);
+
+        return getDefaultEnabledCipherSuites(supportedCipherSuiteMap, defaultCipherSuiteList, disableDHDefaultSuites,
+            PROPERTY_SERVER_CIPHERSUITES);
     }
 
     private static String[] getDefaultEnabledProtocols(Map<String, ProtocolVersion> supportedProtocolMap,