8340321: Disable SHA-1 in TLS/DTLS 1.2 handshake signatures

GoeLin · GoeLin · commit 86765246d95c · 2025-09-15T12:41:47.000Z
Backport-of: dfa79c373097d17a347b7c17103c57e12f59dc67
diff --git a/src/java.base/share/classes/sun/security/ssl/SignatureScheme.java b/src/java.base/share/classes/sun/security/ssl/SignatureScheme.java
@@ -133,8 +133,9 @@ enum SignatureScheme {
                                     "DSA",
                                     ProtocolVersion.PROTOCOLS_TO_12),
     ECDSA_SHA1              (0x0203, "ecdsa_sha1", "SHA1withECDSA",
-                                    "EC",
-                                    ProtocolVersion.PROTOCOLS_TO_13),
+                                    "EC", null, null, -1,
+                                    ProtocolVersion.PROTOCOLS_TO_13,
+                                    ProtocolVersion.PROTOCOLS_TO_12),
     RSA_PKCS1_SHA1          (0x0201, "rsa_pkcs1_sha1", "SHA1withRSA",
                                     "RSA", null, null, 511,
                                     ProtocolVersion.PROTOCOLS_TO_13,
diff --git a/src/java.base/share/conf/security/java.security b/src/java.base/share/conf/security/java.security
@@ -761,7 +761,8 @@ jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \
 #       rsa_pkcs1_sha1, secp224r1, TLS_RSA_*
 jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, DTLSv1.0, RC4, DES, \
     MD5withRSA, DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
-    ECDH, TLS_RSA_*
+    ECDH, TLS_RSA_*, rsa_pkcs1_sha1 usage HandshakeSignature, \
+    ecdsa_sha1 usage HandshakeSignature, dsa_sha1 usage HandshakeSignature
 
 #
 # Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)
diff --git a/test/jdk/sun/security/ssl/SignatureScheme/DisableSHA1inHandshakeSignatureDTLS12.java b/test/jdk/sun/security/ssl/SignatureScheme/DisableSHA1inHandshakeSignatureDTLS12.java
@@ -0,0 +1,54 @@
+/*
+ * Copyright (c) 2025, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/*
+ * @test
+ * @bug 8340321
+ * @summary Disable SHA-1 in TLS/DTLS 1.2 signatures.
+ *          This test only covers DTLS 1.2.
+ * @library /javax/net/ssl/templates
+ *          /test/lib
+ * @run main/othervm DisableSHA1inHandshakeSignatureDTLS12
+ */
+
+public class DisableSHA1inHandshakeSignatureDTLS12 extends
+        DisableSHA1inHandshakeSignatureTLS12 {
+
+    protected DisableSHA1inHandshakeSignatureDTLS12() throws Exception {
+        super();
+    }
+
+    public static void main(String[] args) throws Exception {
+        new DisableSHA1inHandshakeSignatureDTLS12().run();
+    }
+
+    @Override
+    protected String getProtocol() {
+        return "DTLSv1.2";
+    }
+
+    // No CertificateRequest in DTLS server flight.
+    @Override
+    protected void checkCertificateRequest() {
+    }
+}
diff --git a/test/jdk/sun/security/ssl/SignatureScheme/DisableSHA1inHandshakeSignatureTLS12.java b/test/jdk/sun/security/ssl/SignatureScheme/DisableSHA1inHandshakeSignatureTLS12.java
@@ -0,0 +1,120 @@
+/*
+ * Copyright (c) 2025, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/*
+ * @test
+ * @bug 8340321
+ * @summary Disable SHA-1 in TLS/DTLS 1.2 signatures.
+ *          This test only covers TLS 1.2.
+ * @library /javax/net/ssl/templates
+ *          /test/lib
+ * @run main/othervm DisableSHA1inHandshakeSignatureTLS12
+ */
+
+import static jdk.test.lib.Asserts.assertFalse;
+import static jdk.test.lib.Asserts.assertTrue;
+
+import java.util.List;
+
+public class DisableSHA1inHandshakeSignatureTLS12 extends
+        AbstractCheckSignatureSchemes {
+
+    protected DisableSHA1inHandshakeSignatureTLS12() throws Exception {
+        super();
+    }
+
+    public static void main(String[] args) throws Exception {
+        new DisableSHA1inHandshakeSignatureTLS12().run();
+    }
+
+    @Override
+    protected String getProtocol() {
+        return "TLSv1.2";
+    }
+
+    // Run things in TLS handshake order.
+    protected void run() throws Exception {
+
+        // Produce client_hello
+        clientEngine.wrap(clientOut, cTOs);
+        cTOs.flip();
+
+        checkClientHello();
+
+        // Consume client_hello.
+        serverEngine.unwrap(cTOs, serverIn);
+        runDelegatedTasks(serverEngine);
+
+        // Produce server_hello.
+        serverEngine.wrap(serverOut, sTOc);
+        sTOc.flip();
+
+        checkCertificateRequest();
+    }
+
+    // Returns SHA-1 signature schemes supported for TLSv1.2 handshake
+    protected List<String> getDisabledSignatureSchemes() {
+        return List.of(
+                "ecdsa_sha1",
+                "rsa_pkcs1_sha1",
+                "dsa_sha1"
+        );
+    }
+
+    protected void checkClientHello() throws Exception {
+        // Get signature_algorithms extension signature schemes.
+        List<String> sigAlgsSS = getSigSchemesCliHello(
+                extractHandshakeMsg(cTOs, TLS_HS_CLI_HELLO),
+                SIG_ALGS_EXT);
+
+        // Should not be present in signature_algorithms extension.
+        getDisabledSignatureSchemes().forEach(ss ->
+                assertFalse(sigAlgsSS.contains(ss),
+                        "Signature Scheme " + ss
+                        + " present in ClientHello's signature_algorithms extension"));
+
+        // Get signature_algorithms_cert extension signature schemes.
+        List<String> sigAlgsCertSS = getSigSchemesCliHello(
+                extractHandshakeMsg(cTOs, TLS_HS_CLI_HELLO),
+                SIG_ALGS_CERT_EXT);
+
+        // Should be present in signature_algorithms_cert extension.
+        getDisabledSignatureSchemes().forEach(ss ->
+                assertTrue(sigAlgsCertSS.contains(ss),
+                        "Signature Scheme " + ss
+                        + " isn't present in ClientHello's"
+                        + " signature_algorithms extension"));
+    }
+
+    protected void checkCertificateRequest() throws Exception {
+        // Get CertificateRequest message signature schemes.
+        List<String> sigAlgsCertSS = getSigSchemesCertReq(
+                extractHandshakeMsg(sTOc, TLS_HS_CERT_REQ));
+
+        // Should not be present in CertificateRequest message.
+        getDisabledSignatureSchemes().forEach(ss ->
+                assertFalse(sigAlgsCertSS.contains(ss),
+                        "Signature Scheme " + ss
+                        + " present in CertificateRequest"));
+    }
+}
diff --git a/test/jdk/sun/security/ssl/SignatureScheme/DisableSHA1inHandshakeSignatureTLS13.java b/test/jdk/sun/security/ssl/SignatureScheme/DisableSHA1inHandshakeSignatureTLS13.java
@@ -0,0 +1,70 @@
+/*
+ * Copyright (c) 2025, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/*
+ * @test
+ * @bug 8340321
+ * @summary Disable SHA-1 in TLS/DTLS 1.2 signatures.
+ *          This test only covers TLS 1.3.
+ * @library /javax/net/ssl/templates
+ *          /test/lib
+ * @run main/othervm DisableSHA1inHandshakeSignatureTLS13
+ */
+
+import java.security.Security;
+import java.util.List;
+
+public class DisableSHA1inHandshakeSignatureTLS13 extends
+        DisableSHA1inHandshakeSignatureTLS12 {
+
+    protected DisableSHA1inHandshakeSignatureTLS13() throws Exception {
+        super();
+    }
+
+    public static void main(String[] args) throws Exception {
+        // SHA-1 algorithm MUST NOT be used in any TLSv1.3 handshake signatures.
+        // This is regardless of jdk.tls.disabledAlgorithms configuration.
+        Security.setProperty("jdk.tls.disabledAlgorithms", "");
+        new DisableSHA1inHandshakeSignatureTLS13().run();
+    }
+
+    @Override
+    protected String getProtocol() {
+        return "TLSv1.3";
+    }
+
+    // Returns SHA-1 signature schemes NOT supported for TLSv1.3 handshake
+    // signatures, but supported for TLSv1.3 certificate signatures.
+    @Override
+    protected List<String> getDisabledSignatureSchemes() {
+        return List.of("ecdsa_sha1", "rsa_pkcs1_sha1");
+    }
+
+    // TLSv1.3 sends CertificateRequest signature schemes in
+    // signature_algorithms and signature_algorithms_cert extensions. Same as
+    // ClientHello, but they are encrypted. So we skip CertificateRequest
+    // signature schemes verification for TLSv1.3.
+    @Override
+    protected void checkCertificateRequest() {
+    }
+}

Original file line number	Diff line number	Diff line change
`@@ -761,7 +761,8 @@ jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \`
`761`	`761`	`# rsa_pkcs1_sha1, secp224r1, TLS_RSA_*`
`762`	`762`	`jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, DTLSv1.0, RC4, DES, \`
`763`	`763`	`MD5withRSA, DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \`
`764`		`- ECDH, TLS_RSA_*`
	`764`	`+ ECDH, TLS_RSA_*, rsa_pkcs1_sha1 usage HandshakeSignature, \`
	`765`	`+ ecdsa_sha1 usage HandshakeSignature, dsa_sha1 usage HandshakeSignature`
`765`	`766`
`766`	`767`	`#`
`767`	`768`	`# Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)`