BCJSSE: Separate client/server properties for max chain length

- jdk.tls.client.maxInboundCertificateChainLength
- jdk.tls.server.maxInboundCertificateChainLength

Author: peterdettman

tls/src/main/java/org/bouncycastle/jsse/provider/JsseUtils.java

@@ -72,8 +72,6 @@ abstract class JsseUtils
         PropertyUtils.getBooleanSystemProperty("jdk.tls.allowLegacyMasterSecret", true);
     private static final boolean provTlsAllowLegacyResumption =
         PropertyUtils.getBooleanSystemProperty("jdk.tls.allowLegacyResumption", false);
-    private static final int provTlsMaxCertificateChainLength =
-        PropertyUtils.getIntegerSystemProperty("jdk.tls.maxCertificateChainLength", 10, 1, Integer.MAX_VALUE);
     private static final int provTlsMaxHandshakeMessageSize =
         PropertyUtils.getIntegerSystemProperty("jdk.tls.maxHandshakeMessageSize", 32768, 1024, Integer.MAX_VALUE);
     private static final boolean provTlsRequireCloseNotify =
@@ -84,6 +82,9 @@ abstract class JsseUtils
     private static final boolean provTlsUseExtendedMasterSecret =
         PropertyUtils.getBooleanSystemProperty("jdk.tls.useExtendedMasterSecret", true);
 
+    private static final int provTlsClientMaxInboundCertChainLen;
+    private static final int provTlsServerMaxInboundCertChainLen;
+
     static final Set<BCCryptoPrimitive> KEY_AGREEMENT_CRYPTO_PRIMITIVES_BC =
         Collections.unmodifiableSet(EnumSet.of(BCCryptoPrimitive.KEY_AGREEMENT));
     static final Set<BCCryptoPrimitive> KEY_ENCAPSULATION_CRYPTO_PRIMITIVES_BC =
@@ -102,6 +103,25 @@ static class BCUnknownServerName extends BCSNIServerName
         }
     }
 
+    static
+    {
+        int clientDefaultValue = 10;
+        int serverDefaultValue = 8;
+
+        int provTlsMaxCertificateChainLength = PropertyUtils.getIntegerSystemProperty(
+            "jdk.tls.maxCertificateChainLength", 0, 1, Integer.MAX_VALUE);
+        if (provTlsMaxCertificateChainLength > 0)
+        {
+            clientDefaultValue = provTlsMaxCertificateChainLength;
+            serverDefaultValue = provTlsMaxCertificateChainLength;
+        }
+
+        provTlsClientMaxInboundCertChainLen = PropertyUtils.getIntegerSystemProperty(
+            "jdk.tls.client.maxInboundCertificateChainLength", clientDefaultValue, 1, Integer.MAX_VALUE);
+        provTlsServerMaxInboundCertChainLen = PropertyUtils.getIntegerSystemProperty(
+            "jdk.tls.server.maxInboundCertificateChainLength", serverDefaultValue, 1, Integer.MAX_VALUE);
+    }
+
     static boolean allowLegacyMasterSecret()
     {
         return provTlsAllowLegacyMasterSecret;
@@ -270,14 +290,19 @@ static boolean equals(Object a, Object b)
         return a == b || (null != a && null != b && a.equals(b));
     }
 
-    static int getMaxCertificateChainLength()
+    static int getMaxHandshakeMessageSize()
     {
-        return provTlsMaxCertificateChainLength;
+        return provTlsMaxHandshakeMessageSize;
     }
 
-    static int getMaxHandshakeMessageSize()
+    static int getMaxInboundCertChainLenClient()
     {
-        return provTlsMaxHandshakeMessageSize;
+        return provTlsClientMaxInboundCertChainLen;
+    }
+
+    static int getMaxInboundCertChainLenServer()
+    {
+        return provTlsServerMaxInboundCertChainLen;
     }
 
     static ASN1ObjectIdentifier getNamedCurveOID(PublicKey publicKey)

tls/src/main/java/org/bouncycastle/jsse/provider/ProvTlsClient.java

@@ -396,7 +396,7 @@ public JcaTlsCrypto getCrypto()
     @Override
     public int getMaxCertificateChainLength()
     {
-        return JsseUtils.getMaxCertificateChainLength();
+        return JsseUtils.getMaxInboundCertChainLenClient();
     }
 
     @Override

tls/src/main/java/org/bouncycastle/jsse/provider/ProvTlsServer.java

@@ -446,7 +446,7 @@ public boolean allowLegacyResumption()
     @Override
     public int getMaxCertificateChainLength()
     {
-        return JsseUtils.getMaxCertificateChainLength();
+        return JsseUtils.getMaxInboundCertChainLenServer();
     }
 
     @Override