RFR: 8353113: Peer supported certificate signature algorithms are not being checked with default SunX509 key manager [v4]
Artur Barashev
abarashev at openjdk.org
Fri Jun 13 14:48:31 UTC 2025
On Fri, 6 Jun 2025 21:11:16 GMT, Artur Barashev <abarashev at openjdk.org> wrote:
>> src/java.base/share/classes/sun/security/ssl/SunX509KeyManagerImpl.java line 401:
>>
>>> 399: continue;
>>> 400: }
>>> 401:
>>
>> I think we should also call `CertType.check` here, like in `X509KeyManagerImpl`. Since this change is now only selecting certificates with algorithms that are not disabled, I think it also makes sense to select certificates that have the proper extensions, etc and will not cause subsequent certificate chain validation failures.
>>
>> This means we would have to change the name of the property so that it isn't only about disabling constraints checking. Perhaps: `jdk.tls.keymanager.disableCertSelectionChecking`.
>
> Yes, makes sense.
Done.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/25016#discussion_r2145256449
More information about the net-dev
mailing list