< prev index next >

src/java.base/share/classes/sun/security/ssl/SupportedGroupsExtension.java

Print this page

        

@@ -28,28 +28,33 @@
 import java.io.IOException;
 import java.nio.ByteBuffer;
 import java.security.AlgorithmConstraints;
 import java.security.AlgorithmParameters;
 import java.security.CryptoPrimitive;
+import java.security.NoSuchAlgorithmException;
+import java.security.spec.AlgorithmParameterSpec;
 import java.security.spec.ECGenParameterSpec;
+import java.security.spec.ECParameterSpec;
 import java.security.spec.InvalidParameterSpecException;
 import java.text.MessageFormat;
 import java.util.ArrayList;
 import java.util.Collections;
 import java.util.EnumSet;
+import java.util.HashMap;
 import java.util.LinkedList;
 import java.util.List;
 import java.util.Locale;
+import java.util.Map;
+import javax.crypto.spec.DHParameterSpec;
 import javax.net.ssl.SSLProtocolException;
 import sun.security.action.GetPropertyAction;
-import sun.security.ssl.NamedGroup.NamedGroupType;
 import static sun.security.ssl.SSLExtension.CH_SUPPORTED_GROUPS;
 import static sun.security.ssl.SSLExtension.EE_SUPPORTED_GROUPS;
 import sun.security.ssl.SSLExtension.ExtensionConsumer;
 import sun.security.ssl.SSLExtension.SSLExtensionSpec;
 import sun.security.ssl.SSLHandshake.HandshakeMessage;
-
+import sun.security.util.ECUtil;
 
 /**
  * Pack of the "supported_groups" extensions [RFC 4492/7919].
  */
 final class SupportedGroupsExtension {

@@ -151,15 +156,324 @@
                 return ioe.getMessage();
             }
         }
     }
 
+    static enum NamedGroupType {
+        NAMED_GROUP_ECDHE     ("EC"),
+        NAMED_GROUP_FFDHE     ("DiffieHellman"),
+        NAMED_GROUP_X25519    ("x25519"),
+        NAMED_GROUP_X448      ("x448"),
+        NAMED_GROUP_ARBITRARY ("EC"),
+        NAMED_GROUP_NONE      ("");
+
+        private final String algorithm;
+
+        private NamedGroupType(String algorithm) {
+            this.algorithm = algorithm;
+        }
+
+        boolean isSupported(List<CipherSuite> cipherSuites) {
+            for (CipherSuite cs : cipherSuites) {
+                if (cs.keyExchange == null ||
+                        cs.keyExchange.groupType == this) {
+                    return true;
+                }
+            }
+
+            return false;
+        }
+    }
+
+    static enum NamedGroup {
+        // Elliptic Curves (RFC 4492)
+        //
+        // See sun.security.util.CurveDB for the OIDs
+        // NIST K-163
+        SECT163_K1  (0x0001, "sect163k1", "1.3.132.0.1",
+                            NamedGroupType.NAMED_GROUP_ECDHE,
+                            ProtocolVersion.PROTOCOLS_TO_12),
+        SECT163_R1  (0x0002, "sect163r1", "1.3.132.0.2",
+                            NamedGroupType.NAMED_GROUP_ECDHE,
+                            ProtocolVersion.PROTOCOLS_TO_12),
+
+        // NIST B-163
+        SECT163_R2  (0x0003, "sect163r2", "1.3.132.0.15",
+                            NamedGroupType.NAMED_GROUP_ECDHE,
+                            ProtocolVersion.PROTOCOLS_TO_12),
+        SECT193_R1  (0x0004, "sect193r1", "1.3.132.0.24",
+                            NamedGroupType.NAMED_GROUP_ECDHE,
+                            ProtocolVersion.PROTOCOLS_TO_12),
+        SECT193_R2  (0x0005, "sect193r2", "1.3.132.0.25",
+                            NamedGroupType.NAMED_GROUP_ECDHE,
+                            ProtocolVersion.PROTOCOLS_TO_12),
+
+        // NIST K-233
+        SECT233_K1  (0x0006, "sect233k1", "1.3.132.0.26",
+                            NamedGroupType.NAMED_GROUP_ECDHE,
+                            ProtocolVersion.PROTOCOLS_TO_12),
+
+        // NIST B-233
+        SECT233_R1  (0x0007, "sect233r1", "1.3.132.0.27",
+                            NamedGroupType.NAMED_GROUP_ECDHE,
+                            ProtocolVersion.PROTOCOLS_TO_12),
+        SECT239_K1  (0x0008, "sect239k1", "1.3.132.0.3",
+                            NamedGroupType.NAMED_GROUP_ECDHE,
+                            ProtocolVersion.PROTOCOLS_TO_12),
+
+        // NIST K-283
+        SECT283_K1  (0x0009, "sect283k1", "1.3.132.0.16",
+                            NamedGroupType.NAMED_GROUP_ECDHE,
+                            ProtocolVersion.PROTOCOLS_TO_12),
+
+        // NIST B-283
+        SECT283_R1  (0x000A, "sect283r1", "1.3.132.0.17",
+                            NamedGroupType.NAMED_GROUP_ECDHE,
+                            ProtocolVersion.PROTOCOLS_TO_12),
+
+        // NIST K-409
+        SECT409_K1  (0x000B, "sect409k1", "1.3.132.0.36",
+                            NamedGroupType.NAMED_GROUP_ECDHE,
+                            ProtocolVersion.PROTOCOLS_TO_12),
+
+        // NIST B-409
+        SECT409_R1  (0x000C, "sect409r1", "1.3.132.0.37",
+                            NamedGroupType.NAMED_GROUP_ECDHE,
+                            ProtocolVersion.PROTOCOLS_TO_12),
+
+        // NIST K-571
+        SECT571_K1  (0x000D, "sect571k1", "1.3.132.0.38",
+                            NamedGroupType.NAMED_GROUP_ECDHE,
+                            ProtocolVersion.PROTOCOLS_TO_12),
+
+        // NIST B-571
+        SECT571_R1  (0x000E, "sect571r1", "1.3.132.0.39",
+                            NamedGroupType.NAMED_GROUP_ECDHE,
+                            ProtocolVersion.PROTOCOLS_TO_12),
+        SECP160_K1  (0x000F, "secp160k1", "1.3.132.0.9",
+                            NamedGroupType.NAMED_GROUP_ECDHE,
+                            ProtocolVersion.PROTOCOLS_TO_12),
+        SECP160_R1  (0x0010, "secp160r1", "1.3.132.0.8",
+                            NamedGroupType.NAMED_GROUP_ECDHE,
+                            ProtocolVersion.PROTOCOLS_TO_12),
+        SECP160_R2  (0x0011, "secp160r2", "1.3.132.0.30",
+                            NamedGroupType.NAMED_GROUP_ECDHE,
+                            ProtocolVersion.PROTOCOLS_TO_12),
+        SECP192_K1  (0x0012, "secp192k1", "1.3.132.0.31",
+                            NamedGroupType.NAMED_GROUP_ECDHE,
+                            ProtocolVersion.PROTOCOLS_TO_12),
+
+        // NIST P-192
+        SECP192_R1  (0x0013, "secp192r1", "1.2.840.10045.3.1.1",
+                            NamedGroupType.NAMED_GROUP_ECDHE,
+                            ProtocolVersion.PROTOCOLS_TO_12),
+        SECP224_K1  (0x0014, "secp224k1", "1.3.132.0.32",
+                            NamedGroupType.NAMED_GROUP_ECDHE,
+                            ProtocolVersion.PROTOCOLS_TO_12),
+        // NIST P-224
+        SECP224_R1  (0x0015, "secp224r1", "1.3.132.0.33",
+                            NamedGroupType.NAMED_GROUP_ECDHE,
+                            ProtocolVersion.PROTOCOLS_TO_12),
+        SECP256_K1  (0x0016, "secp256k1", "1.3.132.0.10",
+                            NamedGroupType.NAMED_GROUP_ECDHE,
+                            ProtocolVersion.PROTOCOLS_TO_12),
+
+        // NIST P-256
+        SECP256_R1  (0x0017, "secp256r1", "1.2.840.10045.3.1.7",
+                            NamedGroupType.NAMED_GROUP_ECDHE,
+                            ProtocolVersion.PROTOCOLS_TO_13),
+
+        // NIST P-384
+        SECP384_R1  (0x0018, "secp384r1", "1.3.132.0.34",
+                            NamedGroupType.NAMED_GROUP_ECDHE,
+                            ProtocolVersion.PROTOCOLS_TO_13),
+
+        // NIST P-521
+        SECP521_R1  (0x0019, "secp521r1", "1.3.132.0.35",
+                            NamedGroupType.NAMED_GROUP_ECDHE,
+                            ProtocolVersion.PROTOCOLS_TO_13),
+
+        // x25519 and x448
+        X25519      (0x001D, "x25519", null,
+                            NamedGroupType.NAMED_GROUP_X25519,
+                            ProtocolVersion.PROTOCOLS_TO_13),
+        X448        (0x001E, "x448", null,
+                            NamedGroupType.NAMED_GROUP_X448,
+                            ProtocolVersion.PROTOCOLS_TO_13),
+
+        // Finite Field Diffie-Hellman Ephemeral Parameters (RFC 7919)
+        FFDHE_2048  (0x0100, "ffdhe2048", null,
+                            NamedGroupType.NAMED_GROUP_FFDHE,
+                            ProtocolVersion.PROTOCOLS_TO_13),
+        FFDHE_3072  (0x0101, "ffdhe3072", null,
+                            NamedGroupType.NAMED_GROUP_FFDHE,
+                            ProtocolVersion.PROTOCOLS_TO_13),
+        FFDHE_4096  (0x0102, "ffdhe4096", null,
+                            NamedGroupType.NAMED_GROUP_FFDHE,
+                            ProtocolVersion.PROTOCOLS_TO_13),
+        FFDHE_6144  (0x0103, "ffdhe6144", null,
+                            NamedGroupType.NAMED_GROUP_FFDHE,
+                            ProtocolVersion.PROTOCOLS_TO_13),
+        FFDHE_8192  (0x0104, "ffdhe8192", null,
+                            NamedGroupType.NAMED_GROUP_FFDHE,
+                            ProtocolVersion.PROTOCOLS_TO_13),
+
+        // Elliptic Curves (RFC 4492)
+        //
+        // arbitrary prime and characteristic-2 curves
+        ARBITRARY_PRIME  (0xFF01, "arbitrary_explicit_prime_curves", null,
+                            NamedGroupType.NAMED_GROUP_ARBITRARY,
+                            ProtocolVersion.PROTOCOLS_TO_12),
+        ARBITRARY_CHAR2  (0xFF02, "arbitrary_explicit_char2_curves", null,
+                            NamedGroupType.NAMED_GROUP_ARBITRARY,
+                            ProtocolVersion.PROTOCOLS_TO_12);
+
+        final int id;               // hash + signature
+        final NamedGroupType type;  // group type
+        final String name;          // literal name
+        final String oid;           // object identifier of the named group
+        final String algorithm;     // signature algorithm
+        final ProtocolVersion[] supportedProtocols;
+
+        private NamedGroup(int id, String name, String oid,
+                NamedGroupType namedGroupType,
+                ProtocolVersion[] supportedProtocols) {
+            this.id = id;
+            this.type = namedGroupType;
+            this.name = name;
+            this.oid = oid;
+            this.algorithm = namedGroupType.algorithm;
+            this.supportedProtocols = supportedProtocols;
+        }
+
+        static NamedGroup valueOf(int id) {
+            for (NamedGroup group : NamedGroup.values()) {
+                if (group.id == id) {
+                    return group;
+                }
+            }
+
+            return null;
+        }
+
+        static NamedGroup valueOf(ECParameterSpec params) {
+            String oid = ECUtil.getCurveName(null, params);
+            if ((oid != null) && (!oid.isEmpty())) {
+                for (NamedGroup group : NamedGroup.values()) {
+                    if ((group.type == NamedGroupType.NAMED_GROUP_ECDHE) &&
+                            oid.equals(group.oid)) {
+                        return group;
+                    }
+                }
+            }
+
+            return null;
+        }
+
+        static NamedGroup valueOf(DHParameterSpec params) {
+            for (Map.Entry<NamedGroup, AlgorithmParameters> me :
+                    SupportedGroups.namedGroupParams.entrySet()) {
+                NamedGroup ng = me.getKey();
+                if (ng.type != NamedGroupType.NAMED_GROUP_FFDHE) {
+                    continue;
+                }
+
+                DHParameterSpec ngParams = null;
+                AlgorithmParameters aps = me.getValue();
+                try {
+                    ngParams = aps.getParameterSpec(DHParameterSpec.class);
+                } catch (InvalidParameterSpecException ipse) {
+                    // should be unlikely
+                }
+
+                if (ngParams == null) {
+                    continue;
+                }
+
+                if (ngParams.getP().equals(params.getP()) &&
+                        ngParams.getG().equals(params.getG())) {
+                    return ng;
+                }
+            }
+
+            return null;
+        }
+
+        static NamedGroup nameOf(String name) {
+            for (NamedGroup group : NamedGroup.values()) {
+                if (group.name.equals(name)) {
+                    return group;
+                }
+            }
+
+            return null;
+        }
+
+        static String nameOf(int id) {
+            for (NamedGroup group : NamedGroup.values()) {
+                if (group.id == id) {
+                    return group.name;
+                }
+            }
+
+            return "UNDEFINED-NAMED-GROUP(" + id + ")";
+        }
+
+        boolean isAvailable(List<ProtocolVersion> protocolVersions) {
+            for (ProtocolVersion pv : supportedProtocols) {
+                if (protocolVersions.contains(pv)) {
+                    return true;
+                }
+            }
+            return false;
+        }
+
+        boolean isAvailable(ProtocolVersion protocolVersion) {
+            for (ProtocolVersion pv : supportedProtocols) {
+                if (protocolVersion == pv) {
+                    return true;
+                }
+            }
+            return false;
+        }
+
+        boolean isSupported(List<CipherSuite> cipherSuites) {
+            for (CipherSuite cs : cipherSuites) {
+                boolean isMatch = isAvailable(cs.supportedProtocols);
+                if (isMatch && (cs.keyExchange == null ||
+                        cs.keyExchange.groupType == type)) {
+                    return true;
+                }
+            }
+            return false;
+        }
+
+        // lazy loading of parameters
+        AlgorithmParameters getParameters() {
+            return SupportedGroups.namedGroupParams.get(this);
+        }
+
+        AlgorithmParameterSpec getParameterSpec() {
+            if (this.type == NamedGroupType.NAMED_GROUP_ECDHE) {
+                return SupportedGroups.getECGenParamSpec(this);
+            } else if (this.type == NamedGroupType.NAMED_GROUP_FFDHE) {
+                return SupportedGroups.getDHParameterSpec(this);
+            }
+
+            return null;
+        }
+    }
+
     static class SupportedGroups {
         // To switch off the supported_groups extension for DHE cipher suite.
         static final boolean enableFFDHE =
                 Utilities.getBooleanProperty("jsse.enableFFDHE", true);
 
+        // cache to speed up the parameters construction
+        static final Map<NamedGroup,
+                    AlgorithmParameters> namedGroupParams = new HashMap<>();
+
         // the supported named groups
         static final NamedGroup[] supportedNamedGroups;
 
         static {
             // The value of the System Property defines a list of enabled named

@@ -200,34 +514,25 @@
                             "System property jdk.tls.namedGroups(" +
                             property + ") contains no supported named groups");
                 }
             } else {        // default groups
                 NamedGroup[] groups = new NamedGroup[] {
-
-                        // Primary XDH (RFC 7748) curves
-                        NamedGroup.X25519,
-
-                        // Primary NIST curves (e.g. used in TLSv1.3)
+                        // NIST curves first
                         NamedGroup.SECP256_R1,
                         NamedGroup.SECP384_R1,
                         NamedGroup.SECP521_R1,
-
-                        // Secondary XDH curves
-                        NamedGroup.X448,
-
-                        // Secondary NIST curves
                         NamedGroup.SECT283_K1,
                         NamedGroup.SECT283_R1,
                         NamedGroup.SECT409_K1,
                         NamedGroup.SECT409_R1,
                         NamedGroup.SECT571_K1,
                         NamedGroup.SECT571_R1,
 
                         // non-NIST curves
                         NamedGroup.SECP256_K1,
 
-                        // FFDHE (RFC 7919)
+                        // FFDHE 2048
                         NamedGroup.FFDHE_2048,
                         NamedGroup.FFDHE_3072,
                         NamedGroup.FFDHE_4096,
                         NamedGroup.FFDHE_6144,
                         NamedGroup.FFDHE_8192,

@@ -253,31 +558,130 @@
             }
         }
 
         // check whether the group is supported by the underlying providers
         private static boolean isAvailableGroup(NamedGroup namedGroup) {
-            return namedGroup.isAvailableGroup();
+            AlgorithmParameters params = null;
+            AlgorithmParameterSpec spec = null;
+            if (namedGroup.type == NamedGroupType.NAMED_GROUP_ECDHE) {
+                if (namedGroup.oid != null) {
+                    try {
+                        params = AlgorithmParameters.getInstance("EC");
+                        spec = new ECGenParameterSpec(namedGroup.oid);
+                    } catch (NoSuchAlgorithmException e) {
+                        return false;
+                    }
+                }
+            } else if (namedGroup.type == NamedGroupType.NAMED_GROUP_FFDHE) {
+                try {
+                    params = AlgorithmParameters.getInstance("DiffieHellman");
+                    spec = getFFDHEDHParameterSpec(namedGroup);
+                } catch (NoSuchAlgorithmException e) {
+                    return false;
+                }
+            }   // Otherwise, unsupported.
+
+            if ((params != null) && (spec != null)) {
+                try {
+                    params.init(spec);
+                } catch (InvalidParameterSpecException e) {
+                    return false;
+                }
+
+                // cache the parameters
+                namedGroupParams.put(namedGroup, params);
+
+                return true;
+            }
+
+            return false;
         }
 
-        static ECGenParameterSpec getECGenParamSpec(NamedGroup ng) {
-            if (ng.type != NamedGroupType.NAMED_GROUP_ECDHE) {
-                 throw new RuntimeException(
-                         "Not a named EC group: " + ng);
+        private static DHParameterSpec getFFDHEDHParameterSpec(
+                NamedGroup namedGroup) {
+            DHParameterSpec spec = null;
+            switch (namedGroup) {
+                case FFDHE_2048:
+                    spec = PredefinedDHParameterSpecs.ffdheParams.get(2048);
+                    break;
+                case FFDHE_3072:
+                    spec = PredefinedDHParameterSpecs.ffdheParams.get(3072);
+                    break;
+                case FFDHE_4096:
+                    spec = PredefinedDHParameterSpecs.ffdheParams.get(4096);
+                    break;
+                case FFDHE_6144:
+                    spec = PredefinedDHParameterSpecs.ffdheParams.get(6144);
+                    break;
+                case FFDHE_8192:
+                    spec = PredefinedDHParameterSpecs.ffdheParams.get(8192);
+            }
+
+            return spec;
+        }
+
+        private static DHParameterSpec getPredefinedDHParameterSpec(
+                NamedGroup namedGroup) {
+            DHParameterSpec spec = null;
+            switch (namedGroup) {
+                case FFDHE_2048:
+                    spec = PredefinedDHParameterSpecs.definedParams.get(2048);
+                    break;
+                case FFDHE_3072:
+                    spec = PredefinedDHParameterSpecs.definedParams.get(3072);
+                    break;
+                case FFDHE_4096:
+                    spec = PredefinedDHParameterSpecs.definedParams.get(4096);
+                    break;
+                case FFDHE_6144:
+                    spec = PredefinedDHParameterSpecs.definedParams.get(6144);
+                    break;
+                case FFDHE_8192:
+                    spec = PredefinedDHParameterSpecs.definedParams.get(8192);
+            }
+
+            return spec;
+        }
+
+        static ECGenParameterSpec getECGenParamSpec(NamedGroup namedGroup) {
+            if (namedGroup.type != NamedGroupType.NAMED_GROUP_ECDHE) {
+                throw new RuntimeException(
+                        "Not a named EC group: " + namedGroup);
+            }
+
+            AlgorithmParameters params = namedGroupParams.get(namedGroup);
+            if (params == null) {
+                throw new RuntimeException(
+                        "Not a supported EC named group: " + namedGroup);
             }
 
-            // parameters are non-null
-            AlgorithmParameters params = ng.getParameters();
             try {
                 return params.getParameterSpec(ECGenParameterSpec.class);
             } catch (InvalidParameterSpecException ipse) {
                 // should be unlikely
-                return new ECGenParameterSpec(ng.oid);
+                return new ECGenParameterSpec(namedGroup.oid);
             }
         }
 
-        static AlgorithmParameters getParameters(NamedGroup ng) {
-            return ng.getParameters();
+        static DHParameterSpec getDHParameterSpec(NamedGroup namedGroup) {
+            if (namedGroup.type != NamedGroupType.NAMED_GROUP_FFDHE) {
+                throw new RuntimeException(
+                        "Not a named DH group: " + namedGroup);
+            }
+
+            AlgorithmParameters params = namedGroupParams.get(namedGroup);
+            if (params == null) {
+                throw new RuntimeException(
+                        "Not a supported DH named group: " + namedGroup);
+            }
+
+            try {
+                return params.getParameterSpec(DHParameterSpec.class);
+            } catch (InvalidParameterSpecException ipse) {
+                // should be unlikely
+                return getPredefinedDHParameterSpec(namedGroup);
+            }
         }
 
         // Is there any supported group permitted by the constraints?
         static boolean isActivatable(
                 AlgorithmConstraints constraints, NamedGroupType type) {

@@ -286,11 +690,11 @@
             for (NamedGroup namedGroup : supportedNamedGroups) {
                 if (namedGroup.type == type) {
                     if (constraints.permits(
                             EnumSet.of(CryptoPrimitive.KEY_AGREEMENT),
                             namedGroup.algorithm,
-                            getParameters(namedGroup))) {
+                            namedGroupParams.get(namedGroup))) {
 
                         return true;
                     }
 
                     if (!hasFFDHEGroups &&

@@ -317,11 +721,11 @@
             }
 
             return constraints.permits(
                             EnumSet.of(CryptoPrimitive.KEY_AGREEMENT),
                             namedGroup.algorithm,
-                            getParameters(namedGroup));
+                            namedGroupParams.get(namedGroup));
         }
 
         // Is the named group supported?
         static boolean isSupported(NamedGroup namedGroup) {
             for (NamedGroup group : supportedNamedGroups) {

@@ -333,37 +737,37 @@
             return false;
         }
 
         static NamedGroup getPreferredGroup(
                 ProtocolVersion negotiatedProtocol,
-                AlgorithmConstraints constraints, NamedGroupType[] types,
+                AlgorithmConstraints constraints, NamedGroupType type,
                 List<NamedGroup> requestedNamedGroups) {
             for (NamedGroup namedGroup : requestedNamedGroups) {
-                if ((NamedGroupType.arrayContains(types, namedGroup.type)) &&
+                if ((namedGroup.type == type) &&
                         namedGroup.isAvailable(negotiatedProtocol) &&
                         isSupported(namedGroup) &&
                         constraints.permits(
                                 EnumSet.of(CryptoPrimitive.KEY_AGREEMENT),
                                 namedGroup.algorithm,
-                                getParameters(namedGroup))) {
+                                namedGroupParams.get(namedGroup))) {
                     return namedGroup;
                 }
             }
 
             return null;
         }
 
         static NamedGroup getPreferredGroup(
                 ProtocolVersion negotiatedProtocol,
-                AlgorithmConstraints constraints, NamedGroupType[] types) {
+                AlgorithmConstraints constraints, NamedGroupType type) {
             for (NamedGroup namedGroup : supportedNamedGroups) {
-                if ((NamedGroupType.arrayContains(types, namedGroup.type)) &&
+                if ((namedGroup.type == type) &&
                         namedGroup.isAvailable(negotiatedProtocol) &&
                         constraints.permits(
                                 EnumSet.of(CryptoPrimitive.KEY_AGREEMENT),
                                 namedGroup.algorithm,
-                                getParameters(namedGroup))) {
+                                namedGroupParams.get(namedGroup))) {
                     return namedGroup;
                 }
             }
 
             return null;

@@ -407,11 +811,11 @@
 
                 if (ng.isAvailable(chc.activeProtocols) &&
                         ng.isSupported(chc.activeCipherSuites) &&
                         chc.algorithmConstraints.permits(
                             EnumSet.of(CryptoPrimitive.KEY_AGREEMENT),
-                            ng.algorithm, getParameters(ng))) {
+                            ng.algorithm, namedGroupParams.get(ng))) {
                     namedGroups.add(ng);
                 } else if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
                     SSLLogger.fine(
                         "Ignore inactive or disabled named group: " + ng.name);
                 }

@@ -534,11 +938,11 @@
 
                 if (ng.isAvailable(shc.activeProtocols) &&
                         ng.isSupported(shc.activeCipherSuites) &&
                         shc.algorithmConstraints.permits(
                             EnumSet.of(CryptoPrimitive.KEY_AGREEMENT),
-                            ng.algorithm, getParameters(ng))) {
+                            ng.algorithm, namedGroupParams.get(ng))) {
                     namedGroups.add(ng);
                 } else if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
                     SSLLogger.fine(
                         "Ignore inactive or disabled named group: " + ng.name);
                 }
< prev index next >