RFR: 8353113: Peer supported certificate signature algorithms are not being checked with default SunX509 key manager [v4]

Artur Barashev abarashev at openjdk.org
Fri Jun 13 14:48:31 UTC 2025


On Fri, 6 Jun 2025 21:11:16 GMT, Artur Barashev <abarashev at openjdk.org> wrote:

>> src/java.base/share/classes/sun/security/ssl/SunX509KeyManagerImpl.java line 401:
>> 
>>> 399:                 continue;
>>> 400:             }
>>> 401: 
>> 
>> I think we should also call `CertType.check` here, like in `X509KeyManagerImpl`. Since this change is now only selecting certificates with algorithms that are not disabled, I think it also makes sense to select certificates that have the proper extensions, etc and will not cause subsequent certificate chain validation failures.
>> 
>> This means we would have to change the name of the property so that it isn't only about disabling constraints checking. Perhaps: `jdk.tls.keymanager.disableCertSelectionChecking`.
>
> Yes, makes sense.

Done.

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/25016#discussion_r2145256449


More information about the net-dev mailing list