RFR: 8262186: Call X509KeyManager.chooseClientAlias once for all key types [v2]
Weijun Wang
weijun at openjdk.java.net
Mon Aug 30 18:17:27 UTC 2021
On Mon, 30 Aug 2021 16:54:23 GMT, Xue-Lei Andrew Fan <xuelei at openjdk.org> wrote:
>> No, I meant changing the type of the `certScheme` argument in
>>
>> static SignatureScheme getPreferableAlgorithm(
>> AlgorithmConstraints constraints,
>> List<SignatureScheme> schemes,
>> SignatureScheme certScheme,
>> ProtocolVersion version) {
>>
>> to `String`. Since we are only putting `ss.keyAlgorithm` value into the checked type list, we need to make sure we only check on about `keyAlgorithm` now. My concern is that suppose one day we decide to check on `ss.namedGroup` as well, then we will remember to update this method and the checked list at the same time.
>
> I don't think so. In logic, we should check the SignatureScheme here rather than the String key algorithm. If we need an update in the future, we may want to update the following-on methods, like key manager APIs.
I agree it's not a problem now, and once we think it's a problem it will be a big one. I'll keep the current methods as is.
-------------
PR: https://git.openjdk.java.net/jdk/pull/5257
More information about the security-dev
mailing list