Skip to content

Instantly share code, notes, and snippets.

@karlvr

karlvr/jdk8-backport-JDK-8072452.patch

Last active May 29, 2016 04:15
Show Gist options
  • Save karlvr/a47393aff47b68efe22fb15edff0094d to your computer and use it in GitHub Desktop.
Save karlvr/a47393aff47b68efe22fb15edff0094d to your computer and use it in GitHub Desktop.
Download ZIP
Raw
jdk8-backport-JDK-8072452.patch
diff -r bb795f69be65 src/share/classes/com/sun/crypto/provider/DHKeyPairGenerator.java
--- a/src/share/classes/com/sun/crypto/provider/DHKeyPairGenerator.java Sun May 29 14:03:11 2016 +1200
+++ b/src/share/classes/com/sun/crypto/provider/DHKeyPairGenerator.java Sun May 29 16:09:37 2016 +1200
@@ -71,6 +71,17 @@
initialize(1024, null);
}
+ private static void checkKeySize(int keysize)
+ throws InvalidParameterException {
+
+ if ((keysize < 512) || (keysize > 8192) || ((keysize & 0x3F) != 0)) {
+ throw new InvalidParameterException(
+ "DH key size must be multiple of 64, and can only range " +
+ "from 512 to 8192 (inclusive). " +
+ "The specific key size " + keysize + " is not supported");
+ }
+ }
+
/**
* Initializes this key pair generator for a certain keysize and source of
* randomness.
@@ -80,16 +91,22 @@
* @param random the source of randomness
*/
public void initialize(int keysize, SecureRandom random) {
- if ((keysize < 512) || (keysize > 2048) || (keysize % 64 != 0)) {
- throw new InvalidParameterException("Keysize must be multiple "
- + "of 64, and can only range "
- + "from 512 to 2048 "
- + "(inclusive)");
+ checkKeySize(keysize);
+
+ // Use the built-in parameters (ranging from 512 to 8192)
+ // when available.
+ this.params = ParameterCache.getCachedDHParameterSpec(keysize);
+
+ // Due to performance issue, only support DH parameters generation
+ // up to 1024 bits.
+ if ((this.params == null) && (keysize > 1024)) {
+ throw new InvalidParameterException(
+ "Unsupported " + keysize + "-bit DH parameter generation");
}
+
this.pSize = keysize;
this.lSize = 0;
this.random = random;
- this.params = null;
}
/**
@@ -115,11 +132,10 @@
params = (DHParameterSpec)algParams;
pSize = params.getP().bitLength();
- if ((pSize < 512) || (pSize > 2048) ||
- (pSize % 64 != 0)) {
- throw new InvalidAlgorithmParameterException
- ("Prime size must be multiple of 64, and can only range "
- + "from 512 to 2048 (inclusive)");
+ try {
+ checkKeySize(pSize);
+ } catch (InvalidParameterException ipe) {
+ throw new InvalidAlgorithmParameterException(ipe.getMessage());
}
// exponent size is optional, could be 0
diff -r bb795f69be65 src/share/classes/com/sun/crypto/provider/DHParameterGenerator.java
--- a/src/share/classes/com/sun/crypto/provider/DHParameterGenerator.java Sun May 29 14:03:11 2016 +1200
+++ b/src/share/classes/com/sun/crypto/provider/DHParameterGenerator.java Sun May 29 16:09:37 2016 +1200
@@ -25,6 +25,7 @@
package com.sun.crypto.provider;
+import java.math.BigInteger;
import java.security.*;
import java.security.spec.*;
import javax.crypto.spec.DHParameterSpec;
@@ -46,8 +47,7 @@
* @see java.security.spec.AlgorithmParameterSpec
* @see DHParameters
*/
-public final class DHParameterGenerator
-extends AlgorithmParameterGeneratorSpi {
+public final class DHParameterGenerator extends AlgorithmParameterGeneratorSpi {
// The size in bits of the prime modulus
private int primeSize = 1024;
@@ -59,12 +59,16 @@
private SecureRandom random = null;
private static void checkKeySize(int keysize)
- throws InvalidAlgorithmParameterException {
- if ((keysize != 2048) &&
- ((keysize < 512) || (keysize > 1024) || (keysize % 64 != 0))) {
- throw new InvalidAlgorithmParameterException(
- "Keysize must be multiple of 64 ranging from "
- + "512 to 1024 (inclusive), or 2048");
+ throws InvalidParameterException {
+
+ boolean supported = ((keysize == 2048) || (keysize == 3072) ||
+ ((keysize >= 512) && (keysize <= 1024) && ((keysize & 0x3F) == 0)));
+
+ if (!supported) {
+ throw new InvalidParameterException(
+ "DH key size must be multiple of 64 and range " +
+ "from 512 to 1024 (inclusive), or 2048, 3072. " +
+ "The specific key size " + keysize + " is not supported");
}
}
@@ -76,13 +80,9 @@
* @param keysize the keysize (size of prime modulus) in bits
* @param random the source of randomness
*/
+ @Override
protected void engineInit(int keysize, SecureRandom random) {
- // Re-uses DSA parameters and thus have the same range
- try {
- checkKeySize(keysize);
- } catch (InvalidAlgorithmParameterException ex) {
- throw new InvalidParameterException(ex.getMessage());
- }
+ checkKeySize(keysize);
this.primeSize = keysize;
this.random = random;
}
@@ -98,32 +98,31 @@
* @exception InvalidAlgorithmParameterException if the given parameter
* generation values are inappropriate for this parameter generator
*/
+ @Override
protected void engineInit(AlgorithmParameterSpec genParamSpec,
- SecureRandom random)
- throws InvalidAlgorithmParameterException {
+ SecureRandom random) throws InvalidAlgorithmParameterException {
+
if (!(genParamSpec instanceof DHGenParameterSpec)) {
throw new InvalidAlgorithmParameterException
("Inappropriate parameter type");
}
DHGenParameterSpec dhParamSpec = (DHGenParameterSpec)genParamSpec;
-
primeSize = dhParamSpec.getPrimeSize();
-
- // Re-uses DSA parameters and thus have the same range
- checkKeySize(primeSize);
-
exponentSize = dhParamSpec.getExponentSize();
- if (exponentSize <= 0) {
- throw new InvalidAlgorithmParameterException
- ("Exponent size must be greater than zero");
+ if ((exponentSize <= 0) || (exponentSize >= primeSize)) {
+ throw new InvalidAlgorithmParameterException(
+ "Exponent size (" + exponentSize +
+ ") must be positive and less than modulus size (" +
+ primeSize + ")");
+ }
+ try {
+ checkKeySize(primeSize);
+ } catch (InvalidParameterException ipe) {
+ throw new InvalidAlgorithmParameterException(ipe.getMessage());
}
- // Require exponentSize < primeSize
- if (exponentSize >= primeSize) {
- throw new InvalidAlgorithmParameterException
- ("Exponent size must be less than modulus size");
- }
+ this.random = random;
}
/**
@@ -131,24 +130,22 @@
*
* @return the new AlgorithmParameters object
*/
+ @Override
protected AlgorithmParameters engineGenerateParameters() {
- AlgorithmParameters algParams = null;
- if (this.exponentSize == 0) {
- this.exponentSize = this.primeSize - 1;
+ if (random == null) {
+ random = SunJCE.getRandom();
}
- if (this.random == null)
- this.random = SunJCE.getRandom();
-
+ BigInteger paramP = null;
+ BigInteger paramG = null;
try {
- AlgorithmParameterGenerator paramGen;
- DSAParameterSpec dsaParamSpec;
-
- paramGen = AlgorithmParameterGenerator.getInstance("DSA");
- paramGen.init(this.primeSize, random);
- algParams = paramGen.generateParameters();
- dsaParamSpec = algParams.getParameterSpec(DSAParameterSpec.class);
+ AlgorithmParameterGenerator dsaParamGen =
+ AlgorithmParameterGenerator.getInstance("DSA");
+ dsaParamGen.init(primeSize, random);
+ AlgorithmParameters dsaParams = dsaParamGen.generateParameters();
+ DSAParameterSpec dsaParamSpec =
+ dsaParams.getParameterSpec(DSAParameterSpec.class);
DHParameterSpec dhParamSpec;
if (this.exponentSize > 0) {
@@ -159,16 +156,13 @@
dhParamSpec = new DHParameterSpec(dsaParamSpec.getP(),
dsaParamSpec.getG());
}
- algParams = AlgorithmParameters.getInstance("DH",
- SunJCE.getInstance());
+ AlgorithmParameters algParams =
+ AlgorithmParameters.getInstance("DH", SunJCE.getInstance());
algParams.init(dhParamSpec);
- } catch (InvalidParameterSpecException e) {
- // this should never happen
- throw new RuntimeException(e.getMessage());
- } catch (NoSuchAlgorithmException e) {
- // this should never happen, because we provide it
- throw new RuntimeException(e.getMessage());
+
+ return algParams;
+ } catch (Exception ex) {
+ throw new ProviderException("Unexpected exception", ex);
}
- return algParams;
}
}
diff -r bb795f69be65 src/share/classes/sun/security/pkcs11/P11KeyPairGenerator.java
--- a/src/share/classes/sun/security/pkcs11/P11KeyPairGenerator.java Sun May 29 14:03:11 2016 +1200
+++ b/src/share/classes/sun/security/pkcs11/P11KeyPairGenerator.java Sun May 29 16:09:37 2016 +1200
@@ -134,6 +134,7 @@
}
// see JCA spec
+ @Override
public void initialize(int keySize, SecureRandom random) {
token.ensureValid();
try {
@@ -155,6 +156,7 @@
}
// see JCA spec
+ @Override
public void initialize(AlgorithmParameterSpec params, SecureRandom random)
throws InvalidAlgorithmParameterException {
token.ensureValid();
@@ -166,7 +168,7 @@
}
DHParameterSpec dhParams = (DHParameterSpec) params;
tmpKeySize = dhParams.getP().bitLength();
- checkKeySize(tmpKeySize, null);
+ checkKeySize(tmpKeySize, dhParams);
// XXX sanity check params
} else if (algorithm.equals("RSA")) {
if (params instanceof RSAKeyGenParameterSpec == false) {
@@ -188,7 +190,7 @@
}
DSAParameterSpec dsaParams = (DSAParameterSpec) params;
tmpKeySize = dsaParams.getP().bitLength();
- checkKeySize(tmpKeySize, null);
+ checkKeySize(tmpKeySize, dsaParams);
// XXX sanity check params
} else if (algorithm.equals("EC")) {
ECParameterSpec ecParams;
@@ -213,7 +215,7 @@
("ECParameterSpec or ECGenParameterSpec required for EC");
}
tmpKeySize = ecParams.getCurve().getField().getFieldSize();
- checkKeySize(tmpKeySize, null);
+ checkKeySize(tmpKeySize, ecParams);
} else {
throw new ProviderException("Unknown algorithm: " + algorithm);
}
@@ -222,40 +224,45 @@
this.random = random;
}
- // NOTE: 'params' is only used for checking RSA keys currently.
- private void checkKeySize(int keySize, RSAKeyGenParameterSpec params)
+ private void checkKeySize(int keySize, AlgorithmParameterSpec params)
throws InvalidAlgorithmParameterException {
// check native range first
if ((minKeySize != -1) && (keySize < minKeySize)) {
throw new InvalidAlgorithmParameterException(algorithm +
- " key must be at least " + minKeySize + " bits");
+ " key must be at least " + minKeySize + " bits. " +
+ "The specific key size " + keySize + " is not supported");
}
if ((maxKeySize != -1) && (keySize > maxKeySize)) {
throw new InvalidAlgorithmParameterException(algorithm +
- " key must be at most " + maxKeySize + " bits");
+ " key must be at most " + maxKeySize + " bits. " +
+ "The specific key size " + keySize + " is not supported");
}
// check our own algorithm-specific limits also
if (algorithm.equals("EC")) {
if (keySize < 112) {
- throw new InvalidAlgorithmParameterException
- ("Key size must be at least 112 bit");
+ throw new InvalidAlgorithmParameterException(
+ "EC key size must be at least 112 bit. " +
+ "The specific key size " + keySize + " is not supported");
}
if (keySize > 2048) {
// sanity check, nobody really wants keys this large
- throw new InvalidAlgorithmParameterException
- ("Key size must be at most 2048 bit");
+ throw new InvalidAlgorithmParameterException(
+ "EC key size must be at most 2048 bit. " +
+ "The specific key size " + keySize + " is not supported");
}
} else {
// RSA, DH, DSA
if (keySize < 512) {
- throw new InvalidAlgorithmParameterException
- ("Key size must be at least 512 bit");
+ throw new InvalidAlgorithmParameterException(algorithm +
+ " key size must be at least 512 bit. " +
+ "The specific key size " + keySize + " is not supported");
}
if (algorithm.equals("RSA")) {
BigInteger tmpExponent = rsaPublicExponent;
if (params != null) {
- tmpExponent = params.getPublicExponent();
+ tmpExponent =
+ ((RSAKeyGenParameterSpec)params).getPublicExponent();
}
try {
// Reuse the checking in SunRsaSign provider.
@@ -265,31 +272,55 @@
minKeySize,
(maxKeySize==-1? Integer.MAX_VALUE:maxKeySize));
} catch (InvalidKeyException e) {
- throw new InvalidAlgorithmParameterException(e.getMessage());
+ throw new InvalidAlgorithmParameterException(e);
+ }
+ } else if (algorithm.equals("DH")) {
+ if (params != null) { // initialized with specified parameters
+ // sanity check, nobody really wants keys this large
+ if (keySize > 64 * 1024) {
+ throw new InvalidAlgorithmParameterException(
+ "DH key size must be at most 65536 bit. " +
+ "The specific key size " +
+ keySize + " is not supported");
+ }
+ } else { // default parameters will be used.
+ // Range is based on the values in
+ // sun.security.provider.ParameterCache class.
+ if ((keySize > 8192) || (keySize < 512) ||
+ ((keySize & 0x3f) != 0)) {
+ throw new InvalidAlgorithmParameterException(
+ "DH key size must be multiple of 64, and can " +
+ "only range from 512 to 8192 (inclusive). " +
+ "The specific key size " +
+ keySize + " is not supported");
+ }
+
+ DHParameterSpec cache =
+ ParameterCache.getCachedDHParameterSpec(keySize);
+ // Except 2048 and 3072, not yet support generation of
+ // parameters bigger than 1024 bits.
+ if ((cache == null) && (keySize > 1024)) {
+ throw new InvalidAlgorithmParameterException(
+ "Unsupported " + keySize +
+ "-bit DH parameter generation");
+ }
}
} else {
- if (algorithm.equals("DH") && (params != null)) {
- // sanity check, nobody really wants keys this large
- if (keySize > 64 * 1024) {
- throw new InvalidAlgorithmParameterException
- ("Key size must be at most 65536 bit");
- }
- } else {
- // this restriction is in the spec for DSA
- // since we currently use DSA parameters for DH as well,
- // it also applies to DH if no parameters are specified
- if ((keySize != 2048) &&
+ // this restriction is in the spec for DSA
+ if ((keySize != 3072) && (keySize != 2048) &&
((keySize > 1024) || ((keySize & 0x3f) != 0))) {
- throw new InvalidAlgorithmParameterException(algorithm +
- " key must be multiples of 64 if less than 1024 bits" +
- ", or 2048 bits");
- }
+ throw new InvalidAlgorithmParameterException(
+ "DSA key must be multiples of 64 if less than " +
+ "1024 bits, or 2048, 3072 bits. " +
+ "The specific key size " +
+ keySize + " is not supported");
}
}
}
}
// see JCA spec
+ @Override
public KeyPair generateKeyPair() {
token.ensureValid();
CK_ATTRIBUTE[] publicKeyTemplate;
diff -r bb795f69be65 src/share/classes/sun/security/provider/DSAKeyPairGenerator.java
--- a/src/share/classes/sun/security/provider/DSAKeyPairGenerator.java Sun May 29 14:03:11 2016 +1200
+++ b/src/share/classes/sun/security/provider/DSAKeyPairGenerator.java Sun May 29 16:09:37 2016 +1200
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1997, 2012, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2016, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -46,7 +46,7 @@
*
*/
public class DSAKeyPairGenerator extends KeyPairGenerator
-implements java.security.interfaces.DSAKeyPairGenerator {
+ implements java.security.interfaces.DSAKeyPairGenerator {
/* Length for prime P and subPrime Q in bits */
private int plen;
@@ -74,6 +74,8 @@
// N=160
} else if (sizeP == 2048 && (sizeQ == 224 || sizeQ == 256)) {
// L=2048, N=224 or 256
+ } else if (sizeP == 3072 && sizeQ == 256) {
+ // L=3072, N=256
} else {
throw new InvalidParameterException
("Unsupported prime and subprime size combination: " +
@@ -91,12 +93,17 @@
* Initializes the DSA key pair generator. If <code>genParams</code>
* is false, a set of pre-computed parameters is used.
*/
- public void initialize(int modlen, boolean genParams, SecureRandom random) {
+ @Override
+ public void initialize(int modlen, boolean genParams, SecureRandom random)
+ throws InvalidParameterException {
+
int subPrimeLen = -1;
if (modlen <= 1024) {
subPrimeLen = 160;
} else if (modlen == 2048) {
subPrimeLen = 224;
+ } else if (modlen == 3072) {
+ subPrimeLen = 256;
}
checkStrength(modlen, subPrimeLen);
if (genParams) {
@@ -122,7 +129,10 @@
*
* @param params a fully initialized DSA parameter object.
*/
- public void initialize(DSAParams params, SecureRandom random) {
+ @Override
+ public void initialize(DSAParams params, SecureRandom random)
+ throws InvalidParameterException {
+
if (params == null) {
throw new InvalidParameterException("Params must not be null");
}
diff -r bb795f69be65 src/share/classes/sun/security/provider/DSAParameterGenerator.java
--- a/src/share/classes/sun/security/provider/DSAParameterGenerator.java Sun May 29 14:03:11 2016 +1200
+++ b/src/share/classes/sun/security/provider/DSAParameterGenerator.java Sun May 29 16:09:37 2016 +1200
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1997, 2012, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2016, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -83,16 +83,18 @@
* @param strength the strength (size of prime) in bits
* @param random the source of randomness
*/
+ @Override
protected void engineInit(int strength, SecureRandom random) {
if ((strength >= 512) && (strength <= 1024) && (strength % 64 == 0)) {
this.valueN = 160;
} else if (strength == 2048) {
this.valueN = 224;
-// } else if (strength == 3072) {
-// this.valueN = 256;
+ } else if (strength == 3072) {
+ this.valueN = 256;
} else {
- throw new InvalidParameterException
- ("Prime size should be 512 - 1024, or 2048");
+ throw new InvalidParameterException(
+ "Unexpected strength (size of prime): " + strength + ". " +
+ "Prime size should be 512 - 1024, or 2048, 3072");
}
this.valueL = strength;
this.seedLen = valueN;
@@ -103,26 +105,24 @@
* Initializes this parameter generator with a set of
* algorithm-specific parameter generation values.
*
- * @param genParamSpec the set of algorithm-specific parameter generation values
+ * @param genParamSpec the set of algorithm-specific parameter
+ * generation values
* @param random the source of randomness
*
* @exception InvalidAlgorithmParameterException if the given parameter
* generation values are inappropriate for this parameter generator
*/
+ @Override
protected void engineInit(AlgorithmParameterSpec genParamSpec,
- SecureRandom random)
- throws InvalidAlgorithmParameterException {
+ SecureRandom random) throws InvalidAlgorithmParameterException {
+
if (!(genParamSpec instanceof DSAGenParameterSpec)) {
throw new InvalidAlgorithmParameterException("Invalid parameter");
}
- DSAGenParameterSpec dsaGenParams = (DSAGenParameterSpec) genParamSpec;
- int primePLen = dsaGenParams.getPrimePLength();
- if (primePLen > 2048) {
- throw new InvalidParameterException
- ("No support for prime size " + primePLen);
- }
+ DSAGenParameterSpec dsaGenParams = (DSAGenParameterSpec)genParamSpec;
+
// directly initialize using the already validated values
- this.valueL = primePLen;
+ this.valueL = dsaGenParams.getPrimePLength();
this.valueN = dsaGenParams.getSubprimeQLength();
this.seedLen = dsaGenParams.getSeedLength();
this.random = random;
@@ -133,6 +133,7 @@
*
* @return the new AlgorithmParameters object
*/
+ @Override
protected AlgorithmParameters engineGenerateParameters() {
AlgorithmParameters algParams = null;
try {
@@ -213,8 +214,8 @@
int primeCertainty = 80; // for 1024-bit prime P
if (valueL == 2048) {
primeCertainty = 112;
- //} else if (valueL == 3072) {
- // primeCertainty = 128;
+ } else if (valueL == 3072) {
+ primeCertainty = 128;
}
BigInteger resultP, resultQ, seed = null;
diff -r bb795f69be65 src/share/classes/sun/security/provider/ParameterCache.java
--- a/src/share/classes/sun/security/provider/ParameterCache.java Sun May 29 14:03:11 2016 +1200
+++ b/src/share/classes/sun/security/provider/ParameterCache.java Sun May 29 16:09:37 2016 +1200
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2003, 2012, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2016, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -65,7 +65,7 @@
// case#1: (512 <= p <= 1024) AND q=160
// case#2: p=2048 AND q=224
// case#3: p=2048 AND q=256
- // (NOT-YET-SUPPORTED)case#4: p=3072 AND q=256
+ // case#4: p=3072 AND q=256
return dsaCache.get(Integer.valueOf(primeLen+subprimeLen));
}
@@ -90,6 +90,8 @@
return getDSAParameterSpec(primeLen, 160, random);
} else if (primeLen == 2048) {
return getDSAParameterSpec(primeLen, 224, random);
+ } else if (primeLen == 3072) {
+ return getDSAParameterSpec(primeLen, 256, random);
} else {
return null;
}
@@ -165,8 +167,8 @@
/*
* We support precomputed parameter for legacy 512, 768 bit moduli,
- * and (L, N) combinations of (1024, 160), (2048, 224), (2048, 256).
- * In this file we provide both the seed and counter
+ * and (L, N) combinations of (1024, 160), (2048, 224), (2048, 256),
+ * (3072, 256). In this file we provide both the seed and counter
* value of the generation process for each of these seeds,
* for validation purposes. We also include the test vectors
* from the DSA specification, FIPS 186, and the FIPS 186
@@ -288,12 +290,14 @@
"af02112b0d1f02da30973224fe27aeda8b9d4b2922" +
"d9ba8be39ed9e103a63c52810bc688b7e2ed4316e1" +
"ef17dbde", 16);
+
dsaCache.put(Integer.valueOf(2048+224),
new DSAParameterSpec(p2048_224, q2048_224, g2048_224));
/*
* L = 2048, N = 256
- * SEED = b0b4417601b59cbc9d8ac8f935cadaec4f5fbb2f23785609ae466748d9b5a536
+ * SEED = b0b4417601b59cbc9d8ac8f935cadaec \
+ * 4f5fbb2f23785609ae466748d9b5a536
* counter = 497
*/
BigInteger p2048_256 =
@@ -329,14 +333,245 @@
"8d15bbac65212a55239cfc7e58fae38d7250ab9991" +
"ffbc97134025fe8ce04c4399ad96569be91a546f49" +
"78693c7a", 16);
+
dsaCache.put(Integer.valueOf(2048+256),
- new DSAParameterSpec(p2048_256, q2048_256, g2048_256));
+ new DSAParameterSpec(p2048_256, q2048_256, g2048_256));
- // use DSA parameters for DH as well
+
+ /*
+ * L = 3072, N = 256
+ * SEED = 9fe304be4d6b9919559f39d5911d12e9 \
+ * 5158d6946598cd59775b8f3b8fff3a3f
+ * counter = 1186
+ */
+ BigInteger p3072_256 = new BigInteger(
+ "ea9cda9f5fbda66dd830494609405687ab7cf38538e058d1" +
+ "e2f68dea95364866e1c05beacded24227edee28cad80bcec" +
+ "ad39913be3b713267b3b96c8d9f0f6a03b5dfc9222d5cfe4" +
+ "afcc9982f33784f760c3b759aebe3bbe9098a6b84c96f1fd" +
+ "e44ce11c084c2a082c7a76a0ef142928b4f328406ab9beb2" +
+ "4f84577dd0f46ce86fd8f08488269998bf4742d6425f7a0e" +
+ "c75d8660c5dd6f4e3b3d3bee81b2c21afe8c9e8b84b87192" +
+ "e2cc20f961d2bcd8133afcf3675ab80681cb374c78f33e29" +
+ "d1011083d89f9c5728b94676fccb1b57bc60288c15d85ae8" +
+ "38ae1941c5a20ae2b2049b3583fe30da455ddb3e6ad9b995" +
+ "5cd9bb5681431622beb0f92da533fcab496cebc447aa1bb5" +
+ "a8039522f2da98ff416289323a64df626ab6881870927dce" +
+ "e387f13b5c9d24d6cba1d82ed375a082506ee87bc7ae3006" +
+ "7f4a94e2ee363d992c40f2725b5db4b3525ebde22bbbfd0f" +
+ "a124a588b0f5a4acb3a86951aff09f8c8198fb5b53da0c93" +
+ "1cedc598b4f835b779d04d99026c7ba08c4b27f118ac1e3d", 16);
+
+ BigInteger q3072_256 = new BigInteger(
+ "c4eeac2bbab79bd831946d717a56a6e687547aa8e9c5494a" +
+ "5a4b2f4ca13d6c11", 16);
+
+ BigInteger g3072_256 = new BigInteger(
+ "42e5fa7844f8fa9d8998d830d004e7b15b1d276bcbe5f12c" +
+ "35ec90c1a25f5832018a6724bd9cdbe803b675509bed167f" +
+ "3d7cf8599fc865c6d5a0f79158c1bc918f00a944d0ad0f38" +
+ "f520fb91d85d82674d0d5f874faa5fcdfe56cd178c1afdc7" +
+ "ce8795727b7dee966ed0b3c5cedcef8aca628befebf2d105" +
+ "c7aff8eb0da9c9610737dd64dce1237b82c1b2bc8608d55f" +
+ "fda98d7189444e65883315669c05716bde36c78b130aa3df" +
+ "2e4d609914c7c8dc470f4e300187c775f81e7b1a9c0dce40" +
+ "5d6eab2cbb9d9c4ef44412ba573dd403c4ed7bc2364772f5" +
+ "6a30c48de78f5003f9371c55262d2c8ac2246ade3b02fdcf" +
+ "cf5cbfde74fbcbfe6e0e0fdf3160764f84d311c179a40af6" +
+ "79a8f47ab13c8f706893245eb11edcce451fa2ab98001998" +
+ "7f125d8dc96622d419ba0d71f16c6024dce9d364c3b26d8e" +
+ "c1a3c828f6c9d14b1d0333b95db77bfdbe3c6bce5337a1a5" +
+ "a7ace10111219448447197e2a344cc423be768bb89e27be6" +
+ "cbd22085614a5a3360be23b1bfbb6e6e6471363d32c85d31", 16);
+
+ dsaCache.put(Integer.valueOf(3072+256),
+ new DSAParameterSpec(p3072_256, q3072_256, g3072_256));
+
+ //
+ // Diffie-Hellman Groups
+ //
+
+ // the common generator
+ BigInteger dhG = BigInteger.valueOf(2);
+
+ //
+ // From RFC 7296
+
+ // The prime is: 2^768 - 2 ^704 - 1 + 2^64 * { [2^638 pi] + 149686 }
+ BigInteger dhP768 = new BigInteger(
+ "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1" +
+ "29024E088A67CC74020BBEA63B139B22514A08798E3404DD" +
+ "EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245" +
+ "E485B576625E7EC6F44C42E9A63A3620FFFFFFFFFFFFFFFF", 16);
+
+ // The prime is 2^1024 - 2^960 - 1 + 2^64 * { [2^894 pi] + 129093 }
+ BigInteger dhP1024 = new BigInteger(
+ "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1" +
+ "29024E088A67CC74020BBEA63B139B22514A08798E3404DD" +
+ "EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245" +
+ "E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED" +
+ "EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE65381" +
+ "FFFFFFFFFFFFFFFF", 16);
+
+ //
+ // From RFC 3526
+
+ // The prime is: 2^1536 - 2^1472 - 1 + 2^64 * { [2^1406 pi] + 741804 }
+ BigInteger dhP1536 = new BigInteger(
+ "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1" +
+ "29024E088A67CC74020BBEA63B139B22514A08798E3404DD" +
+ "EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245" +
+ "E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED" +
+ "EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3D" +
+ "C2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F" +
+ "83655D23DCA3AD961C62F356208552BB9ED529077096966D" +
+ "670C354E4ABC9804F1746C08CA237327FFFFFFFFFFFFFFFF", 16);
+
+ // This prime is: 2^2048 - 2^1984 - 1 + 2^64 * { [2^1918 pi] + 124476 }
+ BigInteger dhP2048 = new BigInteger(
+ "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1" +
+ "29024E088A67CC74020BBEA63B139B22514A08798E3404DD" +
+ "EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245" +
+ "E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED" +
+ "EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3D" +
+ "C2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F" +
+ "83655D23DCA3AD961C62F356208552BB9ED529077096966D" +
+ "670C354E4ABC9804F1746C08CA18217C32905E462E36CE3B" +
+ "E39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9" +
+ "DE2BCBF6955817183995497CEA956AE515D2261898FA0510" +
+ "15728E5A8AACAA68FFFFFFFFFFFFFFFF", 16);
+
+ // This prime is: 2^3072 - 2^3008 - 1 + 2^64 * { [2^2942 pi] + 1690314 }
+ BigInteger dhP3072 = new BigInteger(
+ "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1" +
+ "29024E088A67CC74020BBEA63B139B22514A08798E3404DD" +
+ "EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245" +
+ "E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED" +
+ "EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3D" +
+ "C2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F" +
+ "83655D23DCA3AD961C62F356208552BB9ED529077096966D" +
+ "670C354E4ABC9804F1746C08CA18217C32905E462E36CE3B" +
+ "E39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9" +
+ "DE2BCBF6955817183995497CEA956AE515D2261898FA0510" +
+ "15728E5A8AAAC42DAD33170D04507A33A85521ABDF1CBA64" +
+ "ECFB850458DBEF0A8AEA71575D060C7DB3970F85A6E1E4C7" +
+ "ABF5AE8CDB0933D71E8C94E04A25619DCEE3D2261AD2EE6B" +
+ "F12FFA06D98A0864D87602733EC86A64521F2B18177B200C" +
+ "BBE117577A615D6C770988C0BAD946E208E24FA074E5AB31" +
+ "43DB5BFCE0FD108E4B82D120A93AD2CAFFFFFFFFFFFFFFFF", 16);
+
+ // This prime is: 2^4096 - 2^4032 - 1 + 2^64 * { [2^3966 pi] + 240904 }
+ BigInteger dhP4096 = new BigInteger(
+ "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1" +
+ "29024E088A67CC74020BBEA63B139B22514A08798E3404DD" +
+ "EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245" +
+ "E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED" +
+ "EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3D" +
+ "C2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F" +
+ "83655D23DCA3AD961C62F356208552BB9ED529077096966D" +
+ "670C354E4ABC9804F1746C08CA18217C32905E462E36CE3B" +
+ "E39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9" +
+ "DE2BCBF6955817183995497CEA956AE515D2261898FA0510" +
+ "15728E5A8AAAC42DAD33170D04507A33A85521ABDF1CBA64" +
+ "ECFB850458DBEF0A8AEA71575D060C7DB3970F85A6E1E4C7" +
+ "ABF5AE8CDB0933D71E8C94E04A25619DCEE3D2261AD2EE6B" +
+ "F12FFA06D98A0864D87602733EC86A64521F2B18177B200C" +
+ "BBE117577A615D6C770988C0BAD946E208E24FA074E5AB31" +
+ "43DB5BFCE0FD108E4B82D120A92108011A723C12A787E6D7" +
+ "88719A10BDBA5B2699C327186AF4E23C1A946834B6150BDA" +
+ "2583E9CA2AD44CE8DBBBC2DB04DE8EF92E8EFC141FBECAA6" +
+ "287C59474E6BC05D99B2964FA090C3A2233BA186515BE7ED" +
+ "1F612970CEE2D7AFB81BDD762170481CD0069127D5B05AA9" +
+ "93B4EA988D8FDDC186FFB7DC90A6C08F4DF435C934063199" +
+ "FFFFFFFFFFFFFFFF", 16);
+
+ // This prime is: 2^6144 - 2^6080 - 1 + 2^64 * { [2^6014 pi] + 929484 }
+ BigInteger dhP6144 = new BigInteger(
+ "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E08" +
+ "8A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B" +
+ "302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9" +
+ "A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE6" +
+ "49286651ECE45B3DC2007CB8A163BF0598DA48361C55D39A69163FA8" +
+ "FD24CF5F83655D23DCA3AD961C62F356208552BB9ED529077096966D" +
+ "670C354E4ABC9804F1746C08CA18217C32905E462E36CE3BE39E772C" +
+ "180E86039B2783A2EC07A28FB5C55DF06F4C52C9DE2BCBF695581718" +
+ "3995497CEA956AE515D2261898FA051015728E5A8AAAC42DAD33170D" +
+ "04507A33A85521ABDF1CBA64ECFB850458DBEF0A8AEA71575D060C7D" +
+ "B3970F85A6E1E4C7ABF5AE8CDB0933D71E8C94E04A25619DCEE3D226" +
+ "1AD2EE6BF12FFA06D98A0864D87602733EC86A64521F2B18177B200C" +
+ "BBE117577A615D6C770988C0BAD946E208E24FA074E5AB3143DB5BFC" +
+ "E0FD108E4B82D120A92108011A723C12A787E6D788719A10BDBA5B26" +
+ "99C327186AF4E23C1A946834B6150BDA2583E9CA2AD44CE8DBBBC2DB" +
+ "04DE8EF92E8EFC141FBECAA6287C59474E6BC05D99B2964FA090C3A2" +
+ "233BA186515BE7ED1F612970CEE2D7AFB81BDD762170481CD0069127" +
+ "D5B05AA993B4EA988D8FDDC186FFB7DC90A6C08F4DF435C934028492" +
+ "36C3FAB4D27C7026C1D4DCB2602646DEC9751E763DBA37BDF8FF9406" +
+ "AD9E530EE5DB382F413001AEB06A53ED9027D831179727B0865A8918" +
+ "DA3EDBEBCF9B14ED44CE6CBACED4BB1BDB7F1447E6CC254B33205151" +
+ "2BD7AF426FB8F401378CD2BF5983CA01C64B92ECF032EA15D1721D03" +
+ "F482D7CE6E74FEF6D55E702F46980C82B5A84031900B1C9E59E7C97F" +
+ "BEC7E8F323A97A7E36CC88BE0F1D45B7FF585AC54BD407B22B4154AA" +
+ "CC8F6D7EBF48E1D814CC5ED20F8037E0A79715EEF29BE32806A1D58B" +
+ "B7C5DA76F550AA3D8A1FBFF0EB19CCB1A313D55CDA56C9EC2EF29632" +
+ "387FE8D76E3C0468043E8F663F4860EE12BF2D5B0B7474D6E694F91E" +
+ "6DCC4024FFFFFFFFFFFFFFFF", 16);
+
+ // This prime is: 2^8192 - 2^8128 - 1 + 2^64 * { [2^8062 pi] + 4743158 }
+ BigInteger dhP8192 = new BigInteger(
+ "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1" +
+ "29024E088A67CC74020BBEA63B139B22514A08798E3404DD" +
+ "EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245" +
+ "E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED" +
+ "EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3D" +
+ "C2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F" +
+ "83655D23DCA3AD961C62F356208552BB9ED529077096966D" +
+ "670C354E4ABC9804F1746C08CA18217C32905E462E36CE3B" +
+ "E39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9" +
+ "DE2BCBF6955817183995497CEA956AE515D2261898FA0510" +
+ "15728E5A8AAAC42DAD33170D04507A33A85521ABDF1CBA64" +
+ "ECFB850458DBEF0A8AEA71575D060C7DB3970F85A6E1E4C7" +
+ "ABF5AE8CDB0933D71E8C94E04A25619DCEE3D2261AD2EE6B" +
+ "F12FFA06D98A0864D87602733EC86A64521F2B18177B200C" +
+ "BBE117577A615D6C770988C0BAD946E208E24FA074E5AB31" +
+ "43DB5BFCE0FD108E4B82D120A92108011A723C12A787E6D7" +
+ "88719A10BDBA5B2699C327186AF4E23C1A946834B6150BDA" +
+ "2583E9CA2AD44CE8DBBBC2DB04DE8EF92E8EFC141FBECAA6" +
+ "287C59474E6BC05D99B2964FA090C3A2233BA186515BE7ED" +
+ "1F612970CEE2D7AFB81BDD762170481CD0069127D5B05AA9" +
+ "93B4EA988D8FDDC186FFB7DC90A6C08F4DF435C934028492" +
+ "36C3FAB4D27C7026C1D4DCB2602646DEC9751E763DBA37BD" +
+ "F8FF9406AD9E530EE5DB382F413001AEB06A53ED9027D831" +
+ "179727B0865A8918DA3EDBEBCF9B14ED44CE6CBACED4BB1B" +
+ "DB7F1447E6CC254B332051512BD7AF426FB8F401378CD2BF" +
+ "5983CA01C64B92ECF032EA15D1721D03F482D7CE6E74FEF6" +
+ "D55E702F46980C82B5A84031900B1C9E59E7C97FBEC7E8F3" +
+ "23A97A7E36CC88BE0F1D45B7FF585AC54BD407B22B4154AA" +
+ "CC8F6D7EBF48E1D814CC5ED20F8037E0A79715EEF29BE328" +
+ "06A1D58BB7C5DA76F550AA3D8A1FBFF0EB19CCB1A313D55C" +
+ "DA56C9EC2EF29632387FE8D76E3C0468043E8F663F4860EE" +
+ "12BF2D5B0B7474D6E694F91E6DBE115974A3926F12FEE5E4" +
+ "38777CB6A932DF8CD8BEC4D073B931BA3BC832B68D9DD300" +
+ "741FA7BF8AFC47ED2576F6936BA424663AAB639C5AE4F568" +
+ "3423B4742BF1C978238F16CBE39D652DE3FDB8BEFC848AD9" +
+ "22222E04A4037C0713EB57A81A23F0C73473FC646CEA306B" +
+ "4BCBC8862F8385DDFA9D4B7FA2C087E879683303ED5BDD3A" +
+ "062B3CF5B3A278A66D2A13F83F44F82DDF310EE074AB6A36" +
+ "4597E899A0255DC164F31CC50846851DF9AB48195DED7EA1" +
+ "B1D510BD7EE74D73FAF36BC31ECFA268359046F4EB879F92" +
+ "4009438B481C6CD7889A002ED5EE382BC9190DA6FC026E47" +
+ "9558E4475677E9AA9E3050E2765694DFC81F56E880B96E71" +
+ "60C980DD98EDD3DFFFFFFFFFFFFFFFFF", 16);
+
+ // use DSA parameters for DH for sizes not defined in RFC 7296, 3526
dhCache.put(Integer.valueOf(512), new DHParameterSpec(p512, g512));
- dhCache.put(Integer.valueOf(768), new DHParameterSpec(p768, g768));
- dhCache.put(Integer.valueOf(1024), new DHParameterSpec(p1024, g1024));
- dhCache.put(Integer.valueOf(2048), new DHParameterSpec(p2048_224, g2048_224));
+
+ dhCache.put(Integer.valueOf(768), new DHParameterSpec(dhP768, dhG));
+ dhCache.put(Integer.valueOf(1024), new DHParameterSpec(dhP1024, dhG));
+ dhCache.put(Integer.valueOf(1536), new DHParameterSpec(dhP1536, dhG));
+ dhCache.put(Integer.valueOf(2048), new DHParameterSpec(dhP2048, dhG));
+ dhCache.put(Integer.valueOf(3072), new DHParameterSpec(dhP3072, dhG));
+ dhCache.put(Integer.valueOf(4096), new DHParameterSpec(dhP4096, dhG));
+ dhCache.put(Integer.valueOf(6144), new DHParameterSpec(dhP6144, dhG));
+ dhCache.put(Integer.valueOf(8192), new DHParameterSpec(dhP8192, dhG));
}
-
}
diff -r bb795f69be65 src/share/classes/sun/security/ssl/DHCrypt.java
--- a/src/share/classes/sun/security/ssl/DHCrypt.java Sun May 29 14:03:11 2016 +1200
+++ b/src/share/classes/sun/security/ssl/DHCrypt.java Sun May 29 16:09:37 2016 +1200
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1996, 2015, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2016, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -151,7 +151,7 @@
params.getP(), params.getG());
}
try {
- KeyFactory factory = JsseJce.getKeyFactory("DH");
+ KeyFactory factory = JsseJce.getKeyFactory("DiffieHellman");
return factory.getKeySpec(key, DHPublicKeySpec.class);
} catch (Exception e) {
throw new RuntimeException(e);
@@ -302,7 +302,16 @@
"E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED" +
"EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE65381" +
"FFFFFFFFFFFFFFFF", 16);
- private static final BigInteger p2048 = new BigInteger( // TLS FEDHE
+ private static final BigInteger p1536 = new BigInteger( // RFC 3526
+ "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD1" +
+ "29024E088A67CC74020BBEA63B139B22514A08798E3404DD" +
+ "EF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245" +
+ "E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED" +
+ "EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3D" +
+ "C2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F" +
+ "83655D23DCA3AD961C62F356208552BB9ED529077096966D" +
+ "670C354E4ABC9804F1746C08CA237327FFFFFFFFFFFFFFFF", 16);
+ private static final BigInteger p2048 = new BigInteger( // TLS FFDHE
"FFFFFFFFFFFFFFFFADF85458A2BB4A9AAFDC5620273D3CF1" +
"D8B9C583CE2D3695A9E13641146433FBCC939DCE249B3EF9" +
"7D2FE363630C75D8F681B202AEC4617AD3DF1ED5D5FD6561" +
@@ -314,9 +323,126 @@
"9172FE9CE98583FF8E4F1232EEF28183C3FE3B1B4C6FAD73" +
"3BB5FCBC2EC22005C58EF1837D1683B2C6F34A26C1B2EFFA" +
"886B423861285C97FFFFFFFFFFFFFFFF", 16);
+ private static final BigInteger p3072 = new BigInteger( // TLS FFDHE
+ "FFFFFFFFFFFFFFFFADF85458A2BB4A9AAFDC5620273D3CF1" +
+ "D8B9C583CE2D3695A9E13641146433FBCC939DCE249B3EF9" +
+ "7D2FE363630C75D8F681B202AEC4617AD3DF1ED5D5FD6561" +
+ "2433F51F5F066ED0856365553DED1AF3B557135E7F57C935" +
+ "984F0C70E0E68B77E2A689DAF3EFE8721DF158A136ADE735" +
+ "30ACCA4F483A797ABC0AB182B324FB61D108A94BB2C8E3FB" +
+ "B96ADAB760D7F4681D4F42A3DE394DF4AE56EDE76372BB19" +
+ "0B07A7C8EE0A6D709E02FCE1CDF7E2ECC03404CD28342F61" +
+ "9172FE9CE98583FF8E4F1232EEF28183C3FE3B1B4C6FAD73" +
+ "3BB5FCBC2EC22005C58EF1837D1683B2C6F34A26C1B2EFFA" +
+ "886B4238611FCFDCDE355B3B6519035BBC34F4DEF99C0238" +
+ "61B46FC9D6E6C9077AD91D2691F7F7EE598CB0FAC186D91C" +
+ "AEFE130985139270B4130C93BC437944F4FD4452E2D74DD3" +
+ "64F2E21E71F54BFF5CAE82AB9C9DF69EE86D2BC522363A0D" +
+ "ABC521979B0DEADA1DBF9A42D5C4484E0ABCD06BFA53DDEF" +
+ "3C1B20EE3FD59D7C25E41D2B66C62E37FFFFFFFFFFFFFFFF", 16);
+ private static final BigInteger p4096 = new BigInteger( // TLS FFDHE
+ "FFFFFFFFFFFFFFFFADF85458A2BB4A9AAFDC5620273D3CF1" +
+ "D8B9C583CE2D3695A9E13641146433FBCC939DCE249B3EF9" +
+ "7D2FE363630C75D8F681B202AEC4617AD3DF1ED5D5FD6561" +
+ "2433F51F5F066ED0856365553DED1AF3B557135E7F57C935" +
+ "984F0C70E0E68B77E2A689DAF3EFE8721DF158A136ADE735" +
+ "30ACCA4F483A797ABC0AB182B324FB61D108A94BB2C8E3FB" +
+ "B96ADAB760D7F4681D4F42A3DE394DF4AE56EDE76372BB19" +
+ "0B07A7C8EE0A6D709E02FCE1CDF7E2ECC03404CD28342F61" +
+ "9172FE9CE98583FF8E4F1232EEF28183C3FE3B1B4C6FAD73" +
+ "3BB5FCBC2EC22005C58EF1837D1683B2C6F34A26C1B2EFFA" +
+ "886B4238611FCFDCDE355B3B6519035BBC34F4DEF99C0238" +
+ "61B46FC9D6E6C9077AD91D2691F7F7EE598CB0FAC186D91C" +
+ "AEFE130985139270B4130C93BC437944F4FD4452E2D74DD3" +
+ "64F2E21E71F54BFF5CAE82AB9C9DF69EE86D2BC522363A0D" +
+ "ABC521979B0DEADA1DBF9A42D5C4484E0ABCD06BFA53DDEF" +
+ "3C1B20EE3FD59D7C25E41D2B669E1EF16E6F52C3164DF4FB" +
+ "7930E9E4E58857B6AC7D5F42D69F6D187763CF1D55034004" +
+ "87F55BA57E31CC7A7135C886EFB4318AED6A1E012D9E6832" +
+ "A907600A918130C46DC778F971AD0038092999A333CB8B7A" +
+ "1A1DB93D7140003C2A4ECEA9F98D0ACC0A8291CDCEC97DCF" +
+ "8EC9B55A7F88A46B4DB5A851F44182E1C68A007E5E655F6A" +
+ "FFFFFFFFFFFFFFFF", 16);
+ private static final BigInteger p6144 = new BigInteger( // TLS FFDHE
+ "FFFFFFFFFFFFFFFFADF85458A2BB4A9AAFDC5620273D3CF1" +
+ "D8B9C583CE2D3695A9E13641146433FBCC939DCE249B3EF9" +
+ "7D2FE363630C75D8F681B202AEC4617AD3DF1ED5D5FD6561" +
+ "2433F51F5F066ED0856365553DED1AF3B557135E7F57C935" +
+ "984F0C70E0E68B77E2A689DAF3EFE8721DF158A136ADE735" +
+ "30ACCA4F483A797ABC0AB182B324FB61D108A94BB2C8E3FB" +
+ "B96ADAB760D7F4681D4F42A3DE394DF4AE56EDE76372BB19" +
+ "0B07A7C8EE0A6D709E02FCE1CDF7E2ECC03404CD28342F61" +
+ "9172FE9CE98583FF8E4F1232EEF28183C3FE3B1B4C6FAD73" +
+ "3BB5FCBC2EC22005C58EF1837D1683B2C6F34A26C1B2EFFA" +
+ "886B4238611FCFDCDE355B3B6519035BBC34F4DEF99C0238" +
+ "61B46FC9D6E6C9077AD91D2691F7F7EE598CB0FAC186D91C" +
+ "AEFE130985139270B4130C93BC437944F4FD4452E2D74DD3" +
+ "64F2E21E71F54BFF5CAE82AB9C9DF69EE86D2BC522363A0D" +
+ "ABC521979B0DEADA1DBF9A42D5C4484E0ABCD06BFA53DDEF" +
+ "3C1B20EE3FD59D7C25E41D2B669E1EF16E6F52C3164DF4FB" +
+ "7930E9E4E58857B6AC7D5F42D69F6D187763CF1D55034004" +
+ "87F55BA57E31CC7A7135C886EFB4318AED6A1E012D9E6832" +
+ "A907600A918130C46DC778F971AD0038092999A333CB8B7A" +
+ "1A1DB93D7140003C2A4ECEA9F98D0ACC0A8291CDCEC97DCF" +
+ "8EC9B55A7F88A46B4DB5A851F44182E1C68A007E5E0DD902" +
+ "0BFD64B645036C7A4E677D2C38532A3A23BA4442CAF53EA6" +
+ "3BB454329B7624C8917BDD64B1C0FD4CB38E8C334C701C3A" +
+ "CDAD0657FCCFEC719B1F5C3E4E46041F388147FB4CFDB477" +
+ "A52471F7A9A96910B855322EDB6340D8A00EF092350511E3" +
+ "0ABEC1FFF9E3A26E7FB29F8C183023C3587E38DA0077D9B4" +
+ "763E4E4B94B2BBC194C6651E77CAF992EEAAC0232A281BF6" +
+ "B3A739C1226116820AE8DB5847A67CBEF9C9091B462D538C" +
+ "D72B03746AE77F5E62292C311562A846505DC82DB854338A" +
+ "E49F5235C95B91178CCF2DD5CACEF403EC9D1810C6272B04" +
+ "5B3B71F9DC6B80D63FDD4A8E9ADB1E6962A69526D43161C1" +
+ "A41D570D7938DAD4A40E329CD0E40E65FFFFFFFFFFFFFFFF", 16);
+ private static final BigInteger p8192 = new BigInteger( // TLS FFDHE
+ "FFFFFFFFFFFFFFFFADF85458A2BB4A9AAFDC5620273D3CF1" +
+ "D8B9C583CE2D3695A9E13641146433FBCC939DCE249B3EF9" +
+ "7D2FE363630C75D8F681B202AEC4617AD3DF1ED5D5FD6561" +
+ "2433F51F5F066ED0856365553DED1AF3B557135E7F57C935" +
+ "984F0C70E0E68B77E2A689DAF3EFE8721DF158A136ADE735" +
+ "30ACCA4F483A797ABC0AB182B324FB61D108A94BB2C8E3FB" +
+ "B96ADAB760D7F4681D4F42A3DE394DF4AE56EDE76372BB19" +
+ "0B07A7C8EE0A6D709E02FCE1CDF7E2ECC03404CD28342F61" +
+ "9172FE9CE98583FF8E4F1232EEF28183C3FE3B1B4C6FAD73" +
+ "3BB5FCBC2EC22005C58EF1837D1683B2C6F34A26C1B2EFFA" +
+ "886B4238611FCFDCDE355B3B6519035BBC34F4DEF99C0238" +
+ "61B46FC9D6E6C9077AD91D2691F7F7EE598CB0FAC186D91C" +
+ "AEFE130985139270B4130C93BC437944F4FD4452E2D74DD3" +
+ "64F2E21E71F54BFF5CAE82AB9C9DF69EE86D2BC522363A0D" +
+ "ABC521979B0DEADA1DBF9A42D5C4484E0ABCD06BFA53DDEF" +
+ "3C1B20EE3FD59D7C25E41D2B669E1EF16E6F52C3164DF4FB" +
+ "7930E9E4E58857B6AC7D5F42D69F6D187763CF1D55034004" +
+ "87F55BA57E31CC7A7135C886EFB4318AED6A1E012D9E6832" +
+ "A907600A918130C46DC778F971AD0038092999A333CB8B7A" +
+ "1A1DB93D7140003C2A4ECEA9F98D0ACC0A8291CDCEC97DCF" +
+ "8EC9B55A7F88A46B4DB5A851F44182E1C68A007E5E0DD902" +
+ "0BFD64B645036C7A4E677D2C38532A3A23BA4442CAF53EA6" +
+ "3BB454329B7624C8917BDD64B1C0FD4CB38E8C334C701C3A" +
+ "CDAD0657FCCFEC719B1F5C3E4E46041F388147FB4CFDB477" +
+ "A52471F7A9A96910B855322EDB6340D8A00EF092350511E3" +
+ "0ABEC1FFF9E3A26E7FB29F8C183023C3587E38DA0077D9B4" +
+ "763E4E4B94B2BBC194C6651E77CAF992EEAAC0232A281BF6" +
+ "B3A739C1226116820AE8DB5847A67CBEF9C9091B462D538C" +
+ "D72B03746AE77F5E62292C311562A846505DC82DB854338A" +
+ "E49F5235C95B91178CCF2DD5CACEF403EC9D1810C6272B04" +
+ "5B3B71F9DC6B80D63FDD4A8E9ADB1E6962A69526D43161C1" +
+ "A41D570D7938DAD4A40E329CCFF46AAA36AD004CF600C838" +
+ "1E425A31D951AE64FDB23FCEC9509D43687FEB69EDD1CC5E" +
+ "0B8CC3BDF64B10EF86B63142A3AB8829555B2F747C932665" +
+ "CB2C0F1CC01BD70229388839D2AF05E454504AC78B758282" +
+ "2846C0BA35C35F5C59160CC046FD8251541FC68C9C86B022" +
+ "BB7099876A460E7451A8A93109703FEE1C217E6C3826E52C" +
+ "51AA691E0E423CFC99E9E31650C1217B624816CDAD9A95F9" +
+ "D5B8019488D9C0A0A1FE3075A577E23183F81D4A3F2FA457" +
+ "1EFC8CE0BA8A4FE8B6855DFE72B0A66EDED2FBABFBE58A30" +
+ "FAFABE1C5D71A87E2F741EF8C1FE86FEA6BBFDE530677F0D" +
+ "97D11D49F7A8443D0822E506A9F4614E011E2A94838FF88C" +
+ "D68C8BB7C5C6424CFFFFFFFFFFFFFFFF", 16);
private static final BigInteger[] supportedPrimes = {
- p512, p768, p1024, p2048};
+ p512, p768, p1024, p1536, p2048, p3072, p4096, p6144, p8192};
// a measure of the uncertainty that prime modulus p is not a prime
//
diff -r bb795f69be65 src/share/classes/sun/security/ssl/ServerHandshaker.java
--- a/src/share/classes/sun/security/ssl/ServerHandshaker.java Sun May 29 14:03:11 2016 +1200
+++ b/src/share/classes/sun/security/ssl/ServerHandshaker.java Sun May 29 16:09:37 2016 +1200
@@ -134,11 +134,17 @@
useSmartEphemeralDHKeys = false;
try {
+ // DH parameter generation can be extremely slow, best to
+ // use one of the supported pre-computed DH parameters
+ // (see DHCrypt class).
customizedDHKeySize = Integer.parseUnsignedInt(property);
- if (customizedDHKeySize < 1024 || customizedDHKeySize > 2048) {
+ if (customizedDHKeySize < 1024 || customizedDHKeySize > 8192 ||
+ (customizedDHKeySize & 0x3f) != 0) {
throw new IllegalArgumentException(
- "Customized DH key size should be positive integer " +
- "between 1024 and 2048 bits, inclusive");
+ "Unsupported customized DH key size: " +
+ customizedDHKeySize + ". " +
+ "The key size must be multiple of 64, " +
+ "and can only range from 1024 to 8192 (inclusive)");
}
} catch (NumberFormatException nfe) {
throw new IllegalArgumentException(
@@ -1367,15 +1373,11 @@
* Applications may also want to customize the ephemeral DH key size
* to a fixed length for non-exportable cipher suites. This can be
* approached by setting system property "jdk.tls.ephemeralDHKeySize"
- * to a valid positive integer between 1024 and 2048 bits, inclusive.
+ * to a valid positive integer between 1024 and 8192 bits, inclusive.
*
* Note that the minimum acceptable key size is 1024 bits except
* exportable cipher suites or legacy mode.
*
- * Note that the maximum acceptable key size is 2048 bits because
- * DH keys bigger than 2048 are not always supported by underlying
- * JCE providers.
- *
* Note that per RFC 2246, the key size limit of DH is 512 bits for
* exportable cipher suites. Because of the weakness, exportable
* cipher suites are deprecated since TLS v1.1 and they are not
@@ -1390,10 +1392,17 @@
} else if (useSmartEphemeralDHKeys) { // matched mode
if (key != null) {
int ks = KeyUtil.getKeySize(key);
- // Note that SunJCE provider only supports 2048 bits DH
- // keys bigger than 1024. Please DON'T use value other
- // than 1024 and 2048 at present. We may improve the
- // underlying providers and key size here in the future.
+
+ // DH parameter generation can be extremely slow, make
+ // sure to use one of the supported pre-computed DH
+ // parameters (see DHCrypt class).
+ //
+ // Old deployed applications may not be ready to support
+ // DH key sizes bigger than 2048 bits. Please DON'T use
+ // value other than 1024 and 2048 at present. May improve
+ // the underlying providers and key size limit in the
+ // future when the compatibility and interoperability
+ // impact is limited.
//
// keySize = ks <= 1024 ? 1024 : (ks >= 2048 ? 2048 : ks);
keySize = ks <= 1024 ? 1024 : 2048;
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment