[jdk21u-dev] RFR: 8350807: Certificates using MD5 algorithm that are disabled by default are incorrectly allowed in TLSv1.3 when re-enabled
Martin Doerr
mdoerr at openjdk.org
Sat Aug 23 18:55:32 UTC 2025
On Wed, 13 Aug 2025 12:46:58 GMT, Goetz Lindenmaier <goetz at openjdk.org> wrote:
> I backport this for parity with 21.0.9-oracle.
>
> Resolved one copyright. It is already at 2025.
>
> But test MD5NotAllowedInTLS13CertificateSignature.java is failing.
> It throws ArrayIndexOutOfBoundsException: Index 0 out of bounds for length 0
> at MD5NotAllowedInTLS13CertificateSignature.lambda$main$1(MD5NotAllowedInTLS13CertificateSignature.java:100)
>
> It expects an array of length 1 containing the exception javax.net.ssl.SSLHandshakeException: (bad_certificate) PKIX path validation failed: java.security.cert.CertPathValidatorException: Algorithm constraints check failed on signature algorithm: MD5withRSA
>
> All other testing, i.e. our nighlties and the tests touched here, pass.
test/jdk/sun/security/ssl/SignatureScheme/MD5NotAllowedInTLS13CertificateSignature.java line 218:
> 216: .setSubjectName(subjectName)
> 217: .setPublicKey(publicKey)
> 218: .setNotAfter(
Should be `setNotBefore`. This makes the test work and avoids the NullPointerException which we have seen. This was fixed in head by https://github.com/openjdk/jdk/commit/e544cd992099ef905266610c2c1456705cdc4587#diff-d1ab84463ba0a7169ea2a4709b6860c8c943251adc4366f93cbc1d230247ef56R219.
-------------
PR Review Comment: https://git.openjdk.org/jdk21u-dev/pull/2085#discussion_r2295535488
More information about the jdk-updates-dev
mailing list