JSSE: add support for wolfjsse.enabledSignatureAlgorithms system Security property, wrap native wolfSSL_set1_sigalgs_list()

2023-06-21 10:58:39 -06:00 · 2023-06-21 10:58:39 -06:00 · 0ecfe9b957
parent 7d5918c266
commit 0ecfe9b957
6 changed files with 143 additions and 3 deletions
--- a/native/com_wolfssl_WolfSSLSession.c
+++ b/native/com_wolfssl_WolfSSLSession.c
@ -3944,6 +3944,33 @@ JNIEXPORT jint JNICALL Java_com_wolfssl_WolfSSLSession_rehandshake
 #endif
 }

+JNIEXPORT jint JNICALL Java_com_wolfssl_WolfSSLSession_set1SigAlgsList
+  (JNIEnv* jenv, jobject jcl, jlong sslPtr, jstring list)
+{
+#ifdef OPENSSL_EXTRA
+    int ret = 0;
+    const char* sigAlgList = NULL;
+    WOLFSSL* ssl = (WOLFSSL*)(uintptr_t)sslPtr;
+
+    if (jenv == NULL || ssl == NULL || list == NULL) {
+        return SSL_FAILURE;
+    }
+
+    sigAlgList = (*jenv)->GetStringUTFChars(jenv, list, 0);
+
+    ret = wolfSSL_set1_sigalgs_list(ssl, sigAlgList);
+
+    (*jenv)->ReleaseStringUTFChars(jenv, list, sigAlgList);
+#else
+    (void)jenv;
+    (void)ssl;
+    (void)list;
+    return NOT_COMPILED_IN;
+#endif
+    (void)jcl;
+    return (jint)ret;
+}
+
 JNIEXPORT void JNICALL Java_com_wolfssl_WolfSSLSession_setSSLIORecv
    (JNIEnv* jenv, jobject jcl, jlong sslPtr)
 {
--- a/native/com_wolfssl_WolfSSLSession.h
+++ b/native/com_wolfssl_WolfSSLSession.h
@ -743,6 +743,14 @@ JNIEXPORT jint JNICALL Java_com_wolfssl_WolfSSLSession_useSecureRenegotiation
 JNIEXPORT jint JNICALL Java_com_wolfssl_WolfSSLSession_rehandshake
  (JNIEnv *, jobject, jlong);

+/*
+ * Class:     com_wolfssl_WolfSSLSession
+ * Method:    set1SigAlgsList
+ * Signature: (JLjava/lang/String;)I
+ */
+JNIEXPORT jint JNICALL Java_com_wolfssl_WolfSSLSession_set1SigAlgsList
+  (JNIEnv *, jobject, jlong, jstring);
+
 #ifdef __cplusplus
 }
 #endif
--- a/src/java/com/wolfssl/WolfSSLContext.java
+++ b/src/java/com/wolfssl/WolfSSLContext.java
@ -787,7 +787,6 @@ public class WolfSSLContext {
     *              SSL client instead of an SSL server.
     * @throws IllegalStateException WolfSSLContext has been freed
     * @throws WolfSSLJNIException Internal JNI error
-     * @see    #accept()
     */
    public int setTmpDH(byte[] p, int pSz, byte[] g, int gSz)
        throws IllegalStateException, WolfSSLJNIException {
--- a/src/java/com/wolfssl/WolfSSLSession.java
+++ b/src/java/com/wolfssl/WolfSSLSession.java
@ -285,6 +285,7 @@ public class WolfSSLSession {
    private native int useALPN(long ssl, String protocols, int options);
    private native int useSecureRenegotiation(long ssl);
    private native int rehandshake(long ssl);
+    private native int set1SigAlgsList(long ssl, String list);

    /* ------------------- session-specific methods --------------------- */

@ -1111,10 +1112,10 @@ public class WolfSSLSession {
     *
     * @param list  null-terminated text string and colon-delimited list
     *              of cipher suites to use with the specified SSL
-     *              context.
+     *              session.
     * @return      <code>SSL_SUCCESS</code> upon success. <code>
     *              SSL_FAILURE</code> upon failure.
-     * @throws IllegalStateException WolfSSLContext has been freed
+     * @throws IllegalStateException WolfSSLSession has been freed
     * @see    WolfSSLContext#setCipherList(String)
     */
    public int setCipherList(String list) throws IllegalStateException {
@ -1124,6 +1125,58 @@ public class WolfSSLSession {
        return setCipherList(getSessionPtr(), list);
    }

+    /**
+     * Sets the supported signature algorithms for the given SSL session.
+     * By default, without calling this method, native wolfSSL will add the
+     * signature-hash algorithms automatically to the ClientHello message
+     * based on which algorithms and modes are compiled into the native library.
+     *
+     * Calling this function will override the defualt list with the specified
+     * list.
+     *
+     * The signature algorithm list, <b>list</b>, is a null-terminated text
+     * String, and colon delimited list. Each list item is a combination of
+     * public key algorithm and MAC algorithm, concatenated with a plus
+     * sign (+).
+     *
+     * Possible public key algorithms include the following, but are dependent
+     * on which algorithms are compiled into the native library:
+     *
+     *    "RSA"     - available if NO_RSA is not defined
+     *    "RSA-PSS" - available if !NO_RSA and WC_RSA_PSS
+     *    "PSS"     - available if !NO_RSA and WC_RSA_PSS
+     *    "ECDSA"   - available if HAVE_ECC
+     *    "ED25519" - available if HAVE_ED25519
+     *    "ED448"   - available if HAVE_ED448
+     *    "DSA"     - available if !NO_DSA
+     *
+     * Possible MAC/hash algorithms include the following, but are also
+     * dependent on which algorithms are compiled into the native library:
+     *
+     *    "SHA1"    - available if !NO_SHA and (!NO_OLD_TLS or WOLFSSL_ALLOW_TLS_SHA1)
+     *    "SHA224"  - available if WOLFSSL_SHA224
+     *    "SHA256"  - available if WOLFSSL_SHA256
+     *    "SHA384"  - available if WOLFSSL_SHA384
+     *    "SHA512"  - available if WOLFSSL_SHA512
+     *
+     * When put together as list items these would look similar to:
+     *
+     *    "RSA+SHA256:ECDSA+SHA256"
+     *
+     * @param list  null-terminated text string and colon-delimited list
+     *              of signature algorithms to use with the specified SSL
+     *              session.
+     * @return      <code>SSL_SUCCESS</code> upon success. <code>
+     *              SSL_FAILURE</code> upon failure.
+     * @throws IllegalStateException WolfSSLSession has been freed
+     */
+    public int setSignatureAlgorithms(String list)
+        throws IllegalStateException {
+
+        confirmObjectIsActive();
+
+        return set1SigAlgsList(getSessionPtr(), list);
+    }

    /* ---------------- Nonblocking DTLS helper functions  -------------- */

--- a/src/java/com/wolfssl/provider/jsse/WolfSSLEngineHelper.java
+++ b/src/java/com/wolfssl/provider/jsse/WolfSSLEngineHelper.java
@ -668,6 +668,31 @@ public class WolfSSLEngineHelper {
        }
    }

+    private void setLocalSigAlgorithms() {
+
+        int ret = 0;
+
+        if (this.clientMode) {
+            /* Get restricted signature algorithms for ClientHello if set by
+             * user in "wolfjsse.enabledSigAlgorithms" Security property */
+            String sigAlgos = WolfSSLUtil.getSignatureAlgorithms();
+
+            if (sigAlgos != null) {
+                ret = this.ssl.setSignatureAlgorithms(sigAlgos);
+                if (ret != WolfSSL.SSL_SUCCESS &&
+                    ret != WolfSSL.NOT_COMPILED_IN) {
+                    WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO,
+                        "error restricting signature algorithms based on " +
+                        "wolfjsse.enabledSignatureAlgorithms property");
+                } else if (ret == WolfSSL.SSL_SUCCESS) {
+                    WolfSSLDebug.log(getClass(), WolfSSLDebug.INFO,
+                        "restricted signature algorithms based on " +
+                        "wolfjsse.enabledSignatureAlgorithms property");
+                }
+            }
+        }
+    }
+
    private void setLocalParams() throws SSLException {
        this.setLocalCiphers(
            WolfSSLUtil.sanitizeSuites(this.params.getCipherSuites()));
@ -678,6 +703,7 @@ public class WolfSSLEngineHelper {
        this.setLocalSessionTicket();
        this.setLocalAlpnProtocols();
        this.setLocalSecureRenegotiation();
+        this.setLocalSigAlgorithms();
    }

    /**
--- a/src/java/com/wolfssl/provider/jsse/WolfSSLUtil.java
+++ b/src/java/com/wolfssl/provider/jsse/WolfSSLUtil.java
@ -159,6 +159,33 @@ public class WolfSSLUtil {
        return true;
    }

+    /**
+     * Return TLS signature algorithms allowed if set in
+     * wolfjsse.enabledSignatureAlgorithms system Security property.
+     *
+     * @return Colon delimited list of signature algorithms to be set
+     *         in the ClientHello.
+     */
+    protected static String getSignatureAlgorithms() {
+
+        String sigAlgos =
+            Security.getProperty("wolfjsse.enabledSignatureAlgorithms");
+
+        if (sigAlgos == null || sigAlgos.isEmpty()) {
+            return null;
+        }
+
+        WolfSSLDebug.log(WolfSSLUtil.class, WolfSSLDebug.INFO,
+            "restricting enabled ClientHello signature algorithms");
+        WolfSSLDebug.log(WolfSSLUtil.class, WolfSSLDebug.INFO,
+            "wolfjsse.enabledSigAlgos: " + sigAlgos);
+
+        /* Remove spaces between colons if present */
+        sigAlgos = sigAlgos.replaceAll(" : ", ":");
+
+        return sigAlgos;
+    }
+
    /**
     * Return maximum key size allowed if minimum is set in
     * jdk.tls.disabledAlgorithms security property for specified algorithm.