RFR: 8359956: Support algorithm constraints and certificate checks in SunX509 key manager [v4]

Artur Barashev abarashev at openjdk.org
Wed Jun 18 20:46:28 UTC 2025


On Wed, 18 Jun 2025 18:43:39 GMT, Sean Mullan <mullan at openjdk.org> wrote:

>> Hi @seanjmullan! This PR fixes both JDK-8353113 and JDK-8170706. So we have 2 new unit tests, one for each issue:
>> 
>> 1. `AlgorithmConstraintsCheck`: tests JDK-8170706. BTW, I'm going to update the `@bug` tag in this test to `8170706`
>> 2. `PeerConstraintsCheck`: tests JDK-8353113. No need to set any algorithm constraints because we test against the peer supported certificate signatures sent to us in "signature_algorithms"/"signature_algorithms_cert" extensions. I'll add a comment to this test with the explanation.
>
> I see. You also have a 3rd: JDK-8359069. It's rare to see one PR fix multiple issues, even though skara supports it. I'm not sure I see specific advantages of having three separate issues instead of just one. Is it primarily because you see these as separate issues? In that case, does it make sense to fix this as 3 different issues in case one or more them needs to be selectively backported?

Done: all 3 issues have been combined into one.

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/25016#discussion_r2155459746


More information about the net-dev mailing list