RFR: 8353113: Peer supported certificate signature algorithms are not being checked with default SunX509 key manager
Artur Barashev
abarashev at openjdk.org
Mon May 12 16:12:04 UTC 2025
When the deafult SunX509KeyManagerImpl is being used we are in violation of TLSv1.3 RFC spec because we ignore peer supported certificate signatures sent to us in "signature_algorithms"/"signature_algorithms_cert" extensions:
https://datatracker.ietf.org/doc/html/rfc8446#section-4.4.2.2
https://datatracker.ietf.org/doc/html/rfc8446#section-4.4.2.3
X509KeyManagerImpl on the other hand includes the algorithms sent by the peer in "signature_algorithms_cert" extension (or in "signature_algorithms" extension when "signature_algorithms_cert" extension isn't present) in the algorithm constraints being checked.
-------------
Commit messages:
- Add unit test
- Code refactoring
- Fix open unit tests
- Adding a system property to skip the constraints checking. Remove SunX509c.
- Fix constraints check
- Revert SSLHandshake.java. Set SunX509c as default. Update copyright.
- 8353113: Peer supported certificate signature algorithms are not being checked with default SunX509 key manager
- Address review comments
- Skip explicit KeyPair initialization and let the provider default set it
- Rework unit tests
- ... and 3 more: https://git.openjdk.org/jdk/compare/cd8adf13...75528109
Changes: https://git.openjdk.org/jdk/pull/25016/files
Webrev: https://webrevs.openjdk.org/?repo=jdk&pr=25016&range=00
Issue: https://bugs.openjdk.org/browse/JDK-8353113
Stats: 1168 lines in 15 files changed: 769 ins; 333 del; 66 mod
Patch: https://git.openjdk.org/jdk/pull/25016.diff
Fetch: git fetch https://git.openjdk.org/jdk.git pull/25016/head:pull/25016
PR: https://git.openjdk.org/jdk/pull/25016
More information about the core-libs-dev
mailing list