RFR: 8262186: Call X509KeyManager.chooseClientAlias once for all key types [v2]

Xue-Lei Andrew Fan xuelei at openjdk.java.net
Mon Aug 30 16:57:31 UTC 2021


On Mon, 30 Aug 2021 15:50:19 GMT, Weijun Wang <weijun at openjdk.org> wrote:

>> Did you mean to change hc.peerRequestedCertSignSchemes to String?  This field would be used for algorithm constraints and more parameters are required there.
>
> No, I meant changing the type of the `certScheme` argument in
> 
>     static SignatureScheme getPreferableAlgorithm(
>             AlgorithmConstraints constraints,
>             List<SignatureScheme> schemes,
>             SignatureScheme certScheme,
>             ProtocolVersion version) {
> 
> to `String`. Since we are only putting `ss.keyAlgorithm` value into the checked type list, we need to make sure we only check on about `keyAlgorithm` now. My concern is that suppose one day we decide to check on `ss.namedGroup` as well, then we will remember to update this method and the checked list at the same time.

I don't think so.  In logic, we should check the SignatureScheme here rather than the String key algorithm.  If we need an update in the future, we may want to update the following-on methods, like key manager APIs.

-------------

PR: https://git.openjdk.java.net/jdk/pull/5257


More information about the security-dev mailing list