RFR: 8353113: Peer supported certificate signature algorithms are not being checked with default SunX509 key manager [v4]

[Sean Mullan]

On Fri, 6 Jun 2025 16:19:07 GMT, Artur Barashev <abarashev at openjdk.org> wrote:

>> test/jdk/sun/security/ssl/X509KeyManager/PeerConstraintsCheck.java line 1:
>> 
>>> 1: /*
>> 
>> I am trying to figure out when the algorithm constraints are enabled, why the key isn't being selected. I don't see anywhere that you are setting the algorithm constraints property.
>> 
>> Please add some more comments explaining how the exception case occurs.
>
> Hi @seanjmullan! This PR fixes both JDK-8353113 and JDK-8170706. So we have 2 new unit tests, one for each issue:
> 
> 1. `AlgorithmConstraintsCheck`: tests JDK-8170706. BTW, I'm going to update the `@bug` tag in this test to `8170706`
> 2. `PeerConstraintsCheck`: tests JDK-8353113. No need to set any algorithm constraints because we test against the peer supported certificate signatures sent to us in "signature_algorithms"/"signature_algorithms_cert" extensions. I'll add a comment to this test with the explanation.

I see. You also have a 3rd: JDK-8359069. It's rare to see one PR fix multiple issues, even though skara supports it. I'm not sure I see specific advantages of having three separate issues instead of just one. Is it primarily because you see these as separate issues? In that case, does it make sense to fix this as 3 different issues in case one or more them needs to be selectively backported?

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/25016#discussion_r2155264743