RFR: 8353113: Peer supported certificate signature algorithms are not being checked with default SunX509 key manager [v3]
Artur Barashev
abarashev at openjdk.org
Mon May 12 20:05:18 UTC 2025
> When the deafult SunX509KeyManagerImpl is being used we are in violation of TLSv1.3 RFC spec because we ignore peer supported certificate signatures sent to us in "signature_algorithms"/"signature_algorithms_cert" extensions:
> https://datatracker.ietf.org/doc/html/rfc8446#section-4.4.2.2
> https://datatracker.ietf.org/doc/html/rfc8446#section-4.4.2.3
>
> X509KeyManagerImpl on the other hand includes the algorithms sent by the peer in "signature_algorithms_cert" extension (or in "signature_algorithms" extension when "signature_algorithms_cert" extension isn't present) in the algorithm constraints being checked.
Artur Barashev has updated the pull request incrementally with one additional commit since the last revision:
Make sure the exception happens during KeyManager's algorithm check
-------------
Changes:
- all: https://git.openjdk.org/jdk/pull/25016/files
- new: https://git.openjdk.org/jdk/pull/25016/files/88cd4016..5c137c14
Webrevs:
- full: https://webrevs.openjdk.org/?repo=jdk&pr=25016&range=02
- incr: https://webrevs.openjdk.org/?repo=jdk&pr=25016&range=01-02
Stats: 17 lines in 1 file changed: 2 ins; 5 del; 10 mod
Patch: https://git.openjdk.org/jdk/pull/25016.diff
Fetch: git fetch https://git.openjdk.org/jdk.git pull/25016/head:pull/25016
PR: https://git.openjdk.org/jdk/pull/25016
More information about the net-dev
mailing list