RFR: 8359956: Support algorithm constraints and certificate checks in SunX509 key manager [v9]
Artur Barashev
abarashev at openjdk.org
Fri Jun 20 18:01:35 UTC 2025
On Fri, 20 Jun 2025 13:58:24 GMT, Sean Mullan <mullan at openjdk.org> wrote:
>> Artur Barashev has updated the pull request incrementally with one additional commit since the last revision:
>>
>> Update system property name in one more test
>
> test/jdk/sun/security/mscapi/ShortRSAKeyWithinTLS.java line 238:
>
>> 236: // Disable KeyManager's algorithm constraints checking.
>> 237: System.setProperty(
>> 238: "jdk.tls.SunX509keymanager.certSelectionChecking", "false");
>
> What if you instead just removed "RSA keySize < 1024" from the `jdk.certpath.disabledAlgorithms` security property - would this test still pass? This way you could still test the other parts of the cert selection code.
>
> This same comment applies to other tests where you have set the `jdk.tls.SunX509keymanager.certSelectionChecking` property to false.
Done, good point! It works for this particular test but the same approach doesn't work for other tests because they either rely on TrustManager do the constraints checks or MD5 algorithm being blocks by TLSv1.3 spec.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/25016#discussion_r2159457776
More information about the net-dev
mailing list