Merge branch 'main' of gitlab.cryptoworkshop.com:root/bc-java

dghgit · dghgit · commit e3806170c568 · 2025-12-29T15:17:21.000+11:00
diff --git a/pg/src/main/java/org/bouncycastle/openpgp/PGPSessionKey.java b/pg/src/main/java/org/bouncycastle/openpgp/PGPSessionKey.java
@@ -3,10 +3,13 @@
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 
+import org.bouncycastle.util.Arrays;
 import org.bouncycastle.util.encoders.Hex;
 
 public class PGPSessionKey
 {
+    private static final Pattern ASCII_ENCODING_PATTERN = Pattern.compile("(\\d{1,3}):([0-9A-Fa-f]+)");
+
     private final int algorithm;
     private final byte[] sessionKey;
 
@@ -23,22 +26,20 @@ public int getAlgorithm()
 
     public byte[] getKey()
     {
-        byte[] copy = new byte[sessionKey.length];
-        System.arraycopy(sessionKey, 0, copy, 0, sessionKey.length);
-        return copy;
+        return Arrays.clone(sessionKey);
     }
 
-    @SuppressWarnings("ArrayToString")
     public String toString()
     {
-        // mote: we only print the reference to sessionKey to prevent accidental disclosure of the actual key value.
-        return algorithm + ":" + sessionKey;
+        // NOTE: Avoid disclosing the sessionKey value.
+        String sessionKeyHashCode = Integer.toHexString(System.identityHashCode(sessionKey));
+
+        return algorithm + ":" + sessionKey.getClass().getName() + "@" + sessionKeyHashCode;
     }
 
     public static PGPSessionKey fromAsciiRepresentation(String ascii)
     {
-        Pattern pattern = Pattern.compile("(\\d{1,3}):([0-9A-Fa-f]+)");
-        Matcher matcher = pattern.matcher(ascii);
+        Matcher matcher = ASCII_ENCODING_PATTERN.matcher(ascii);
         if (!matcher.matches())
         {
             throw new IllegalArgumentException("Provided ascii encoding does not match expected format <algo-num>:<hex-key>");
diff --git a/pg/src/test/java/org/bouncycastle/openpgp/test/PGPSessionKeyTest.java b/pg/src/test/java/org/bouncycastle/openpgp/test/PGPSessionKeyTest.java
@@ -88,9 +88,9 @@ public class PGPSessionKeyTest
     public static void main(String[] args)
         throws Exception
     {
-        PGPSessionKeyTest test = new PGPSessionKeyTest();
         Security.addProvider(new BouncyCastleProvider());
-        test.performTest();
+
+        runTest(new PGPSessionKeyTest());
     }
 
     public String getName()
diff --git a/tls/src/main/java/org/bouncycastle/jsse/provider/ProvSSLContextSpi.java b/tls/src/main/java/org/bouncycastle/jsse/provider/ProvSSLContextSpi.java
@@ -342,9 +342,11 @@ private static Map<String, ProtocolVersion> createSupportedProtocolMapFips(
     }
 
     private static String[] getDefaultEnabledCipherSuites(Map<String, CipherSuiteInfo> supportedCipherSuiteMap,
-        List<String> defaultCipherSuiteList, boolean disableDHDefaultSuites, String cipherSuitesPropertyName)
+        List<String> defaultCipherSuiteList, boolean disableDHDefaultSuites, String cipherSuitesPropertyName,
+        String title)
     {
         List<String> candidates = getJdkTlsCipherSuites(cipherSuitesPropertyName, defaultCipherSuiteList);
+        boolean disableDHSuites = disableDHDefaultSuites && candidates == defaultCipherSuiteList;
 
         String[] result = new String[candidates.size()];
         int count = 0;
@@ -355,15 +357,15 @@ private static String[] getDefaultEnabledCipherSuites(Map<String, CipherSuiteInf
             {
                 continue;
             }
-            if (disableDHDefaultSuites &&
-                candidates == defaultCipherSuiteList &&
-                TlsDHUtils.isDHCipherSuite(cipherSuiteInfo.getCipherSuite()))
+            if (disableDHSuites && TlsDHUtils.isDHCipherSuite(cipherSuiteInfo.getCipherSuite()))
             {
+                LOG.finer(title + " default cipher suite disabled per DH disabling: " + candidate);
                 continue;
             }
             if (!ProvAlgorithmConstraints.DEFAULT.permits(JsseUtils.KEY_AGREEMENT_CRYPTO_PRIMITIVES_BC, candidate,
                 null))
             {
+                LOG.fine(title + " default cipher suite disabled by AlgorithmConstraints: " + candidate);
                 continue;
             }
 
@@ -379,7 +381,7 @@ private static String[] getDefaultEnabledCipherSuitesClient(Map<String, CipherSu
             .getBooleanSystemProperty("org.bouncycastle.jsse.client.dh.disableDefaultSuites", false);
 
         return getDefaultEnabledCipherSuites(supportedCipherSuiteMap, defaultCipherSuiteList, disableDHDefaultSuites,
-            PROPERTY_CLIENT_CIPHERSUITES);
+            PROPERTY_CLIENT_CIPHERSUITES, "Client");
     }
 
     private static String[] getDefaultEnabledCipherSuitesServer(Map<String, CipherSuiteInfo> supportedCipherSuiteMap,
@@ -389,7 +391,7 @@ private static String[] getDefaultEnabledCipherSuitesServer(Map<String, CipherSu
             .getBooleanSystemProperty("org.bouncycastle.jsse.server.dh.disableDefaultSuites", false);
 
         return getDefaultEnabledCipherSuites(supportedCipherSuiteMap, defaultCipherSuiteList, disableDHDefaultSuites,
-            PROPERTY_SERVER_CIPHERSUITES);
+            PROPERTY_SERVER_CIPHERSUITES, "Server");
     }
 
     private static String[] getDefaultEnabledProtocols(Map<String, ProtocolVersion> supportedProtocolMap,

Original file line number	Diff line number	Diff line change
`@@ -3,10 +3,13 @@`
`3`	`3`	`import java.util.regex.Matcher;`
`4`	`4`	`import java.util.regex.Pattern;`
`5`	`5`
	`6`	`+import org.bouncycastle.util.Arrays;`
`6`	`7`	`import org.bouncycastle.util.encoders.Hex;`
`7`	`8`
`8`	`9`	`public class PGPSessionKey`
`9`	`10`	`{`
	`11`	`+ private static final Pattern ASCII_ENCODING_PATTERN = Pattern.compile("(\\d{1,3}):([0-9A-Fa-f]+)");`
	`12`	`+`
`10`	`13`	`private final int algorithm;`
`11`	`14`	`private final byte[] sessionKey;`
`12`	`15`
`@@ -23,22 +26,20 @@ public int getAlgorithm()`
`23`	`26`
`24`	`27`	`public byte[] getKey()`
`25`	`28`	`{`
`26`		`- byte[] copy = new byte[sessionKey.length];`
`27`		`- System.arraycopy(sessionKey, 0, copy, 0, sessionKey.length);`
`28`		`- return copy;`
	`29`	`+ return Arrays.clone(sessionKey);`
`29`	`30`	`}`
`30`	`31`
`31`		`- @SuppressWarnings("ArrayToString")`
`32`	`32`	`public String toString()`
`33`	`33`	`{`
`34`		`- // mote: we only print the reference to sessionKey to prevent accidental disclosure of the actual key value.`
`35`		`- return algorithm + ":" + sessionKey;`
	`34`	`+ // NOTE: Avoid disclosing the sessionKey value.`
	`35`	`+ String sessionKeyHashCode = Integer.toHexString(System.identityHashCode(sessionKey));`
	`36`	`+`
	`37`	`+ return algorithm + ":" + sessionKey.getClass().getName() + "@" + sessionKeyHashCode;`
`36`	`38`	`}`
`37`	`39`
`38`	`40`	`public static PGPSessionKey fromAsciiRepresentation(String ascii)`
`39`	`41`	`{`
`40`		`- Pattern pattern = Pattern.compile("(\\d{1,3}):([0-9A-Fa-f]+)");`
`41`		`- Matcher matcher = pattern.matcher(ascii);`
	`42`	`+ Matcher matcher = ASCII_ENCODING_PATTERN.matcher(ascii);`
`42`	`43`	`if (!matcher.matches())`
`43`	`44`	`{`
`44`	`45`	`throw new IllegalArgumentException("Provided ascii encoding does not match expected format <algo-num>:<hex-key>");`
Original file line number	Diff line number	Diff line change
`@@ -88,9 +88,9 @@ public class PGPSessionKeyTest`
`88`	`88`	`public static void main(String[] args)`
`89`	`89`	`throws Exception`
`90`	`90`	`{`
`91`		`- PGPSessionKeyTest test = new PGPSessionKeyTest();`
`92`	`91`	`Security.addProvider(new BouncyCastleProvider());`
`93`		`- test.performTest();`
	`92`	`+`
	`93`	`+ runTest(new PGPSessionKeyTest());`
`94`	`94`	`}`
`95`	`95`
`96`	`96`	`public String getName()`
Original file line number	Diff line number	Diff line change
`@@ -342,9 +342,11 @@ private static Map<String, ProtocolVersion> createSupportedProtocolMapFips(`
`342`	`342`	`}`
`343`	`343`
`344`	`344`	`private static String[] getDefaultEnabledCipherSuites(Map<String, CipherSuiteInfo> supportedCipherSuiteMap,`
`345`		`- List<String> defaultCipherSuiteList, boolean disableDHDefaultSuites, String cipherSuitesPropertyName)`
	`345`	`+ List<String> defaultCipherSuiteList, boolean disableDHDefaultSuites, String cipherSuitesPropertyName,`
	`346`	`+ String title)`
`346`	`347`	`{`
`347`	`348`	`List<String> candidates = getJdkTlsCipherSuites(cipherSuitesPropertyName, defaultCipherSuiteList);`
	`349`	`+ boolean disableDHSuites = disableDHDefaultSuites && candidates == defaultCipherSuiteList;`
`348`	`350`
`349`	`351`	`String[] result = new String[candidates.size()];`
`350`	`352`	`int count = 0;`
`@@ -355,15 +357,15 @@ private static String[] getDefaultEnabledCipherSuites(Map<String, CipherSuiteInf`
`355`	`357`	`{`
`356`	`358`	`continue;`
`357`	`359`	`}`
`358`		`- if (disableDHDefaultSuites &&`
`359`		`- candidates == defaultCipherSuiteList &&`
`360`		`- TlsDHUtils.isDHCipherSuite(cipherSuiteInfo.getCipherSuite()))`
	`360`	`+ if (disableDHSuites && TlsDHUtils.isDHCipherSuite(cipherSuiteInfo.getCipherSuite()))`
`361`	`361`	`{`
	`362`	`+ LOG.finer(title + " default cipher suite disabled per DH disabling: " + candidate);`
`362`	`363`	`continue;`
`363`	`364`	`}`
`364`	`365`	`if (!ProvAlgorithmConstraints.DEFAULT.permits(JsseUtils.KEY_AGREEMENT_CRYPTO_PRIMITIVES_BC, candidate,`
`365`	`366`	`null))`
`366`	`367`	`{`
	`368`	`+ LOG.fine(title + " default cipher suite disabled by AlgorithmConstraints: " + candidate);`
`367`	`369`	`continue;`
`368`	`370`	`}`
`369`	`371`
`@@ -379,7 +381,7 @@ private static String[] getDefaultEnabledCipherSuitesClient(Map<String, CipherSu`
`379`	`381`	`.getBooleanSystemProperty("org.bouncycastle.jsse.client.dh.disableDefaultSuites", false);`
`380`	`382`
`381`	`383`	`return getDefaultEnabledCipherSuites(supportedCipherSuiteMap, defaultCipherSuiteList, disableDHDefaultSuites,`
`382`		`- PROPERTY_CLIENT_CIPHERSUITES);`
	`384`	`+ PROPERTY_CLIENT_CIPHERSUITES, "Client");`
`383`	`385`	`}`
`384`	`386`
`385`	`387`	`private static String[] getDefaultEnabledCipherSuitesServer(Map<String, CipherSuiteInfo> supportedCipherSuiteMap,`
`@@ -389,7 +391,7 @@ private static String[] getDefaultEnabledCipherSuitesServer(Map<String, CipherSu`
`389`	`391`	`.getBooleanSystemProperty("org.bouncycastle.jsse.server.dh.disableDefaultSuites", false);`
`390`	`392`
`391`	`393`	`return getDefaultEnabledCipherSuites(supportedCipherSuiteMap, defaultCipherSuiteList, disableDHDefaultSuites,`
`392`		`- PROPERTY_SERVER_CIPHERSUITES);`
	`394`	`+ PROPERTY_SERVER_CIPHERSUITES, "Server");`
`393`	`395`	`}`
`394`	`396`
`395`	`397`	`private static String[] getDefaultEnabledProtocols(Map<String, ProtocolVersion> supportedProtocolMap,`