TKSS-678: Better certificate key usage checking on TLCP

Tencent · Feb 6, 2024 · 44b6b4f · 44b6b4f
1 parent 7699a9e
commit 44b6b4f
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 19 deletions.
diff --git a/kona-pkix/src/main/java/com/tencent/kona/sun/security/validator/EndEntityChecker.java b/kona-pkix/src/main/java/com/tencent/kona/sun/security/validator/EndEntityChecker.java
@@ -29,7 +29,6 @@
 
 import java.security.cert.*;
 
-import com.tencent.kona.pkix.PKIXUtils;
 import com.tencent.kona.sun.security.util.KnownOIDs;
 import com.tencent.kona.sun.security.x509.NetscapeCertTypeExtension;
 
@@ -238,14 +237,7 @@ private boolean checkKeyUsage(X509Certificate cert, int bit) {
      */
     private void checkTLSClient(X509Certificate cert, Set<String> exts)
             throws CertificateException {
-        if (PKIXUtils.isSMCert(cert)) {
-            if (!checkKeyUsage(cert, KU_KEY_ENCIPHERMENT)
-                    && !checkKeyUsage(cert, KU_SIGNATURE)) {
-                throw new ValidatorException(
-                        "SM certificate must allow encipherment or digital signature",
-                        ValidatorException.T_EE_EXTENSIONS, cert);
-            }
-        } else if (!checkKeyUsage(cert, KU_SIGNATURE)) {
+        if (!checkKeyUsage(cert, KU_SIGNATURE)) {
             throw new ValidatorException
                     ("KeyUsage does not allow digital signatures",
                             ValidatorException.T_EE_EXTENSIONS, cert);
@@ -277,20 +269,18 @@ private void checkTLSClient(X509Certificate cert, Set<String> exts)
      */
     private void checkTLSServer(X509Certificate cert, String parameter,
                                 Set<String> exts) throws CertificateException {
-        if (PKIXUtils.isSMCert(cert)) {
-            if (!checkKeyUsage(cert, KU_KEY_ENCIPHERMENT)
-                    && !checkKeyUsage(cert, KU_SIGNATURE)) {
-                throw new ValidatorException(
-                        "SM certificate must allow encipherment or digital signature",
-                        ValidatorException.T_EE_EXTENSIONS, cert);
-            }
-        } else if (KU_SERVER_ENCRYPTION.contains(parameter)) {
+        if (KU_SERVER_ENCRYPTION.contains(parameter)) {
             if (!checkKeyUsage(cert, KU_KEY_ENCIPHERMENT)) {
                 throw new ValidatorException
                         ("KeyUsage does not allow key encipherment",
                                 ValidatorException.T_EE_EXTENSIONS, cert);
             }
-        } else if (KU_SERVER_SIGNATURE.contains(parameter)) {
+        } else if (KU_SERVER_SIGNATURE.contains(parameter)
+                // SM2 and SM2E are used on TLCP 1.1 only,
+                // and the first certificate, namely sign certificate,
+                // always has digitalSignature key usage.
+                || "SM2".equalsIgnoreCase(parameter)
+                || "SM2E".equalsIgnoreCase(parameter)) {
             if (!checkKeyUsage(cert, KU_SIGNATURE)) {
                 throw new ValidatorException
                         ("KeyUsage does not allow digital signatures",

diff --git a/kona-ssl/src/main/java/com/tencent/kona/sun/security/ssl/SSLMasterKeyDerivation.java b/kona-ssl/src/main/java/com/tencent/kona/sun/security/ssl/SSLMasterKeyDerivation.java
@@ -118,7 +118,7 @@ public SecretKey deriveKey(String algorithm,
             } else {
                 if (protocolVersion.isTLCP11()) {
                     masterAlg = "TlcpMasterSecret";
-                    hashAlg = HashAlg.H_SM3;
+                    hashAlg = cipherSuite.hashAlg;
                 } else if (protocolVersion.id >= ProtocolVersion.TLS12.id) {
                     masterAlg = "SunTls12MasterSecret";
                     hashAlg = cipherSuite.hashAlg;