8349583: Add mechanism to disable signature schemes based on their TLS scope

common/autoconf/spec.gmk.in

@@ -500,8 +500,11 @@ JARSIGNER=@FIXPATH@ $(BOOT_JDK)/bin/jarsigner
 
 # You run the new javac using the boot jdk with $(BOOT_JDK)/bin/java $(NEW_JAVAC) ...
 BOOTSTRAP_JAVAC_JAR:=$(LANGTOOLS_OUTPUTDIR)/dist/bootstrap/lib/javac.jar
+BOOTSTRAP_CLASSES_CREATE_SYMBOLS:=$(BUILD_OUTPUT)/jdk/createSymbolsBP
 BOOTSTRAP_JAVAC_ARGS:="-Xbootclasspath/p:$(BOOTSTRAP_JAVAC_JAR)" -cp $(BOOTSTRAP_JAVAC_JAR)
+BOOTSTRAP_JAVAC_ARGS_EXTRA:="-Xbootclasspath/p:$(BOOTSTRAP_JAVAC_JAR)$(PATH_SEP)$(BOOTSTRAP_CLASSES_CREATE_SYMBOLS)" -cp $(BOOTSTRAP_JAVAC_JAR)
 NEW_JAVAC   = $(BOOTSTRAP_JAVAC_ARGS) com.sun.tools.javac.Main
+NEW_JAVAC_CREATESYMBOLS   = $(BOOTSTRAP_JAVAC_ARGS_EXTRA) com.sun.tools.javac.Main
 NEW_JAVADOC = $(BOOTSTRAP_JAVAC_ARGS) com.sun.tools.javadoc.Main
 
 # Base flags for RC

jdk/make/CopyFiles.gmk

@@ -261,6 +261,17 @@ COPY_FILES += $(LIBDIR)/jvm.hprof.txt
 
 ##########################################################################################
 
+#
+# Bootstrap classpath for CreateSymbols. Add needed files not in the boot JDK
+# here. Currently only SSLScope.class since it's needed for DisabledAlgorithmConstraints
+# processing.
+#
+$(eval $(call SetupCopyFiles,COPY_CREATE_SYMBOLS, \
+    SRC := $(JDK_OUTPUTDIR)/classes, \
+    DEST := $(BOOTSTRAP_CLASSES_CREATE_SYMBOLS), \
+    FILES := sun/security/ssl/SSLScope.class))
+COPY_FILES += $(COPY_CREATE_SYMBOLS)
+
 #
 # How to install jvm.cfg.
 #

jdk/make/CreateJars.gmk

@@ -560,7 +560,7 @@ EXPORTED_PRIVATE_PKGS = com.oracle.net \
 $(IMAGES_OUTPUTDIR)/symbols/_the.symbols: $(IMAGES_OUTPUTDIR)/lib/rt.jar
 	$(RM) -r $(IMAGES_OUTPUTDIR)/symbols/META-INF/sym
 	$(MKDIR) -p $(IMAGES_OUTPUTDIR)/symbols/META-INF/sym
-	$(JAVA) $(NEW_JAVAC) \
+	$(JAVA) $(NEW_JAVAC_CREATESYMBOLS) \
 	    -bootclasspath $(JDK_OUTPUTDIR)/classes \
 	    -XDprocess.packages -proc:only \
 	    -processor com.sun.tools.javac.sym.CreateSymbols \

jdk/src/share/classes/sun/security/ssl/CertSignAlgsExtension.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2018, 2025, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -25,6 +25,8 @@
 
 package sun.security.ssl;
 
+import static sun.security.ssl.SignatureScheme.CERTIFICATE_SCOPE;
+
 import java.io.IOException;
 import java.nio.ByteBuffer;
 import java.util.Arrays;
@@ -98,26 +100,27 @@ public byte[] produce(ConnectionContext context,
             }
 
             // Produce the extension.
-            if (chc.localSupportedSignAlgs == null) {
-                chc.localSupportedSignAlgs =
-                    SignatureScheme.getSupportedAlgorithms(
-                            chc.sslConfig,
-                            chc.algorithmConstraints, chc.activeProtocols);
+            if (chc.localSupportedCertSignAlgs == null) {
+                chc.localSupportedCertSignAlgs =
+                        SignatureScheme.getSupportedAlgorithms(
+                                chc.sslConfig,
+                                chc.algorithmConstraints, chc.activeProtocols,
+                                CERTIFICATE_SCOPE);
             }
 
             int vectorLen = SignatureScheme.sizeInRecord() *
-                    chc.localSupportedSignAlgs.size();
+                    chc.localSupportedCertSignAlgs.size();
             byte[] extData = new byte[vectorLen + 2];
             ByteBuffer m = ByteBuffer.wrap(extData);
             Record.putInt16(m, vectorLen);
-            for (SignatureScheme ss : chc.localSupportedSignAlgs) {
+            for (SignatureScheme ss : chc.localSupportedCertSignAlgs) {
                 Record.putInt16(m, ss.id);
             }
 
             // Update the context.
             chc.handshakeExtensions.put(
                     SSLExtension.CH_SIGNATURE_ALGORITHMS_CERT,
-                    new SignatureSchemesSpec(chc.localSupportedSignAlgs));
+                    new SignatureSchemesSpec(chc.localSupportedCertSignAlgs));
 
             return extData;
         }
@@ -197,7 +200,9 @@ public void consume(ConnectionContext context,
                     SignatureScheme.getSupportedAlgorithms(
                             shc.sslConfig,
                             shc.algorithmConstraints, shc.negotiatedProtocol,
-                            spec.signatureSchemes);
+                            spec.signatureSchemes,
+                            CERTIFICATE_SCOPE);
+
             shc.peerRequestedCertSignSchemes = schemes;
             shc.handshakeSession.setPeerSupportedSignatureAlgorithms(schemes);
 
@@ -246,26 +251,30 @@ public byte[] produce(ConnectionContext context,
             }
 
             // Produce the extension.
-            List<ProtocolVersion> protocols = Arrays.asList(shc.negotiatedProtocol);
-            protocols = Collections.unmodifiableList(protocols);
-            List<SignatureScheme> sigAlgs =
+            if (shc.localSupportedCertSignAlgs == null) {
+                List<ProtocolVersion> protocols = Arrays.asList(shc.negotiatedProtocol);
+                protocols = Collections.unmodifiableList(protocols);
+                shc.localSupportedCertSignAlgs =
                     SignatureScheme.getSupportedAlgorithms(
                             shc.sslConfig,
                             shc.algorithmConstraints,
-                            protocols);
+                            protocols,
+                            CERTIFICATE_SCOPE);
+            }
 
-            int vectorLen = SignatureScheme.sizeInRecord() * sigAlgs.size();
+            int vectorLen = SignatureScheme.sizeInRecord()
+                    * shc.localSupportedCertSignAlgs.size();
             byte[] extData = new byte[vectorLen + 2];
             ByteBuffer m = ByteBuffer.wrap(extData);
             Record.putInt16(m, vectorLen);
-            for (SignatureScheme ss : sigAlgs) {
+            for (SignatureScheme ss : shc.localSupportedCertSignAlgs) {
                 Record.putInt16(m, ss.id);
             }
 
             // Update the context.
             shc.handshakeExtensions.put(
                     SSLExtension.CR_SIGNATURE_ALGORITHMS_CERT,
-                    new SignatureSchemesSpec(shc.localSupportedSignAlgs));
+                    new SignatureSchemesSpec(shc.localSupportedCertSignAlgs));
 
             return extData;
         }
@@ -344,7 +353,9 @@ public void consume(ConnectionContext context,
                     SignatureScheme.getSupportedAlgorithms(
                             chc.sslConfig,
                             chc.algorithmConstraints, chc.negotiatedProtocol,
-                            spec.signatureSchemes);
+                            spec.signatureSchemes,
+                            CERTIFICATE_SCOPE);
+
             chc.peerRequestedCertSignSchemes = schemes;
             chc.handshakeSession.setPeerSupportedSignatureAlgorithms(schemes);
         }

jdk/src/share/classes/sun/security/ssl/CertificateMessage.java

@@ -1055,6 +1055,7 @@ private static SSLPossession choosePossession(
                 // Don't select a signature scheme unless we will be able to
                 // produce a CertificateVerify message later
                 if (SignatureScheme.getPreferableAlgorithm(
+                        hc.algorithmConstraints,
                         hc.peerRequestedSignatureSchemes,
                         ss, hc.negotiatedProtocol) == null) {
 

jdk/src/share/classes/sun/security/ssl/CertificateRequest.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2015, 2021, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2015, 2025, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -25,6 +25,9 @@
 
 package sun.security.ssl;
 
+import static sun.security.ssl.SignatureScheme.CERTIFICATE_SCOPE;
+import static sun.security.ssl.SignatureScheme.HANDSHAKE_SCOPE;
+
 import java.io.IOException;
 import java.nio.ByteBuffer;
 import java.security.PrivateKey;
@@ -380,7 +383,6 @@ public void consume(ConnectionContext context,
                     crm.getAuthorities(), (SSLEngine)chc.conContext.transport);
             }
 
-
             if (clientAlias == null) {
                 if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
                     SSLLogger.warning("No available client authentication");
@@ -607,16 +609,33 @@ private T12CertificateRequestProducer() {
         public byte[] produce(ConnectionContext context,
                 HandshakeMessage message) throws IOException {
             // The producing happens in server side only.
-            ServerHandshakeContext shc = (ServerHandshakeContext)context;
+            ServerHandshakeContext shc = (ServerHandshakeContext) context;
+
             if (shc.localSupportedSignAlgs == null) {
                 shc.localSupportedSignAlgs =
-                    SignatureScheme.getSupportedAlgorithms(
-                            shc.sslConfig,
-                            shc.algorithmConstraints, shc.activeProtocols);
+                        SignatureScheme.getSupportedAlgorithms(
+                                shc.sslConfig,
+                                shc.algorithmConstraints, shc.activeProtocols,
+                                HANDSHAKE_SCOPE);
+            }
+
+            if (shc.localSupportedCertSignAlgs == null) {
+                shc.localSupportedCertSignAlgs =
+                        SignatureScheme.getSupportedAlgorithms(
+                                shc.sslConfig,
+                                shc.algorithmConstraints, shc.activeProtocols,
+                                CERTIFICATE_SCOPE);
             }
 
-            if (shc.localSupportedSignAlgs == null ||
-                    shc.localSupportedSignAlgs.isEmpty()) {
+            // According to TLSv1.2 RFC, CertificateRequest message must
+            // contain signature schemes supported for both:
+            // handshake signatures and certificate signatures.
+            List<SignatureScheme> certReqSignAlgs =
+                    new ArrayList<>(shc.localSupportedSignAlgs);
+            certReqSignAlgs.retainAll(shc.localSupportedCertSignAlgs);
+
+            if (certReqSignAlgs == null ||
+                    certReqSignAlgs.isEmpty()) {
                 throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                     "No supported signature algorithm");
             }
@@ -625,7 +644,7 @@ public byte[] produce(ConnectionContext context,
                     shc.sslContext.getX509TrustManager().getAcceptedIssuers();
             T12CertificateRequestMessage crm = new T12CertificateRequestMessage(
                     shc, caCerts, shc.negotiatedCipherSuite.keyExchange,
-                    shc.localSupportedSignAlgs);
+                    certReqSignAlgs);
             if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
                 SSLLogger.fine(
                     "Produced CertificateRequest handshake message", crm);
@@ -706,19 +725,28 @@ public void consume(ConnectionContext context,
             chc.handshakeProducers.put(SSLHandshake.CERTIFICATE.id,
                     SSLHandshake.CERTIFICATE);
 
-            List<SignatureScheme> sss =
+            List<SignatureScheme> signAlgs =
+                    SignatureScheme.getSupportedAlgorithms(
+                            chc.sslConfig,
+                            chc.algorithmConstraints, chc.negotiatedProtocol,
+                            crm.algorithmIds,
+                            HANDSHAKE_SCOPE);
+
+            List<SignatureScheme> signCertAlgs =
                     SignatureScheme.getSupportedAlgorithms(
                             chc.sslConfig,
                             chc.algorithmConstraints, chc.negotiatedProtocol,
-                            crm.algorithmIds);
-            if (sss == null || sss.isEmpty()) {
+                            crm.algorithmIds,
+                            CERTIFICATE_SCOPE);
+
+            if (signAlgs == null || signAlgs.isEmpty() || signCertAlgs.isEmpty()) {
                 throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
                         "No supported signature algorithm");
             }
 
-            chc.peerRequestedSignatureSchemes = sss;
-            chc.peerRequestedCertSignSchemes = sss;     // use the same schemes
-            chc.handshakeSession.setPeerSupportedSignatureAlgorithms(sss);
+            chc.peerRequestedSignatureSchemes = signAlgs;
+            chc.peerRequestedCertSignSchemes = signCertAlgs;
+            chc.handshakeSession.setPeerSupportedSignatureAlgorithms(signCertAlgs);
             chc.peerSupportedAuthorities = crm.getAuthorities();
 
             // For TLS 1.2, we need to use a combination of the CR message's
@@ -762,6 +790,7 @@ private static SSLPossession choosePossession(HandshakeContext hc,
                 // Don't select a signature scheme unless we will be able to
                 // produce a CertificateVerify message later
                 if (SignatureScheme.getPreferableAlgorithm(
+                        hc.algorithmConstraints,
                         hc.peerRequestedSignatureSchemes,
                         ss, hc.negotiatedProtocol) == null) {
 

jdk/src/share/classes/sun/security/ssl/CertificateVerify.java

@@ -588,6 +588,7 @@ static final class T12CertificateVerifyMessage extends HandshakeMessage {
             ClientHandshakeContext chc = (ClientHandshakeContext)context;
             Map.Entry<SignatureScheme, Signature> schemeAndSigner =
                     SignatureScheme.getSignerOfPreferableAlgorithm(
+                    chc.algorithmConstraints,
                     chc.peerRequestedSignatureSchemes,
                     x509Possession,
                     chc.negotiatedProtocol);
@@ -897,6 +898,7 @@ static final class T13CertificateVerifyMessage extends HandshakeMessage {
 
             Map.Entry<SignatureScheme, Signature> schemeAndSigner =
                      SignatureScheme.getSignerOfPreferableAlgorithm(
+                     context.algorithmConstraints,
                      context.peerRequestedSignatureSchemes,
                      x509Possession,
                      context.negotiatedProtocol);

jdk/src/share/classes/sun/security/ssl/DHServerKeyExchange.java

@@ -128,6 +128,7 @@ class DHServerKeyExchangeMessage extends HandshakeMessage {
                 if (useExplicitSigAlgorithm) {
                     Map.Entry<SignatureScheme, Signature> schemeAndSigner =
                             SignatureScheme.getSignerOfPreferableAlgorithm(
+                                    shc.algorithmConstraints,
                                     shc.peerRequestedSignatureSchemes,
                                     x509Possession,
                                     shc.negotiatedProtocol);

jdk/src/share/classes/sun/security/ssl/ECDHServerKeyExchange.java

@@ -142,6 +142,7 @@ class ECDHServerKeyExchangeMessage extends HandshakeMessage {
                 if (useExplicitSigAlgorithm) {
                     Map.Entry<SignatureScheme, Signature> schemeAndSigner =
                             SignatureScheme.getSignerOfPreferableAlgorithm(
+                                shc.algorithmConstraints,
                                 shc.peerRequestedSignatureSchemes,
                                 x509Possession,
                                 shc.negotiatedProtocol);

jdk/src/share/classes/sun/security/ssl/HandshakeContext.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2018, 2022, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2018, 2025, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -83,7 +83,7 @@ abstract class HandshakeContext implements ConnectionContext {
     // consolidated parameters
     final List<ProtocolVersion>             activeProtocols;
     final List<CipherSuite>                 activeCipherSuites;
-    final AlgorithmConstraints              algorithmConstraints;
+    final SSLAlgorithmConstraints           algorithmConstraints;
     final ProtocolVersion                   maximumActiveProtocol;
 
     // output stream
@@ -136,6 +136,7 @@ abstract class HandshakeContext implements ConnectionContext {
 
     // SignatureScheme
     List<SignatureScheme>                   localSupportedSignAlgs;
+    List<SignatureScheme>                   localSupportedCertSignAlgs;
     List<SignatureScheme>                   peerRequestedSignatureSchemes;
     List<SignatureScheme>                   peerRequestedCertSignSchemes;
 

jdk/src/share/classes/sun/security/ssl/PostHandshakeContext.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2018, 2019, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2018, 2025, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -43,7 +43,7 @@ final class PostHandshakeContext extends HandshakeContext {
                 "Post-handshake not supported in " + negotiatedProtocol.name);
         }
 
-        this.localSupportedSignAlgs = new ArrayList<>(
+        this.localSupportedCertSignAlgs = new ArrayList<>(
             context.conSession.getLocalSupportedSignatureSchemes());
 
         // Add the potential post-handshake consumers.