Skip to content

Revert Enable ECDSA ciphers when running with FIPS cryptography #26

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
keithc-ca merged 1 commit into from
Feb 23, 2026
+1 −55
Merged

Revert Enable ECDSA ciphers when running with FIPS cryptography #26

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
56 changes: 1 addition & 55 deletions src/java.base/share/classes/sun/security/ssl/JsseJce.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,12 +23,6 @@
* questions.
*/

/*
* ===========================================================================
* (c) Copyright IBM Corp. 2023, 2023 All Rights Reserved
* ===========================================================================
*/

package sun.security.ssl;

import java.math.BigInteger;
Expand Down Expand Up @@ -96,26 +90,6 @@ final class JsseJce {
*/
static final String SIGNATURE_ECDSA = "SHA1withECDSA";

/**
* JCA identifier string for ECDSA, i.e. a ECDSA with SHA224.
*/
static final String SIGNATURE_ECDSA_224 = "SHA224withECDSA";

/**
* JCA identifier string for ECDSA, i.e. a ECDSA with SHA256.
*/
static final String SIGNATURE_ECDSA_256 = "SHA256withECDSA";

/**
* JCA identifier string for ECDSA, i.e. a ECDSA with SHA384.
*/
static final String SIGNATURE_ECDSA_384 = "SHA384withECDSA";

/**
* JCA identifier string for ECDSA, i.e. a ECDSA with SHA512.
*/
static final String SIGNATURE_ECDSA_512 = "SHA512withECDSA";

/**
* JCA identifier for EdDSA signatures.
*/
Expand Down Expand Up @@ -188,38 +162,10 @@ private static class EcAvailability {
// Is EC crypto available?
private static final boolean isAvailable;

/**
* Checks if a particular signature algorithm is available.
*
* @param algorithm the algorithm we will attempt to instantiate to check if it is available
* @return true if the signature algorithm is found, false otherwise
*/
private static boolean isSignatureAlgorithmAvailable(String algorithm) {
try {
// Attempt to create a Cipher instance with the specified algorithm.
Signature.getInstance(algorithm);
return true;
} catch (NoSuchAlgorithmException e) {
return false;
}
}

static {
boolean mediator = true;
try {
// When running in FIPS mode, the signature "SHA1withECDSA" is not
// available by default. In this scenario we should still set EC
// availability to true since other algorithms in the ECDSA signature
// family are available for use in various ECDSA TLS ciphers. All
// FIPS solutions are expected to have an algorithm such as
// "SHA512withECDSA", "SHA384withECDSA", "SHA256withECDSA", or
// "SHA224withECDSA" available so we will also check for these algorithms.
mediator = isSignatureAlgorithmAvailable(SIGNATURE_ECDSA)
|| isSignatureAlgorithmAvailable(SIGNATURE_ECDSA_224)
|| isSignatureAlgorithmAvailable(SIGNATURE_ECDSA_256)
|| isSignatureAlgorithmAvailable(SIGNATURE_ECDSA_384)
|| isSignatureAlgorithmAvailable(SIGNATURE_ECDSA_512);

Signature.getInstance(SIGNATURE_ECDSA);
Signature.getInstance(SIGNATURE_RAWECDSA);
KeyAgreement.getInstance("ECDH");
KeyFactory.getInstance("EC");
Expand Down