RFR: 8288209: SSL debug message wrong about unsupported authentication scheme [v2]

Jamil Nimeh jnimeh at openjdk.java.net
Tue Jun 14 22:50:43 UTC 2022

On Mon, 13 Jun 2022 16:30:36 GMT, Daniel Jeliński <djelinski at openjdk.org> wrote:

>> Weijun Wang has updated the pull request incrementally with one additional commit since the last revision:
>>   typo
> src/java.base/share/classes/sun/security/ssl/CertificateMessage.java line 1045:
>> 1043:             }
>> 1044: 
>> 1045:             String[] supportedKeyTypes = hc.peerRequestedCertSignSchemes
> Preexisting, but shouldn't we use `peerRequestedSignatureSchemes` here? If I read [RFC 8446](https://datatracker.ietf.org/doc/html/rfc8446#section- correctly, `peerRequestedCertSignSchemes` only applies to how the certificates were signed; it does not limit the end-entity key type in any way.

It does appear that there is an issue here.  Weijun and I have done a little playtesting with this and there are some cases where it isn't behaving as expected.  I don't know if this can be solved as simply as using `peerRequestedSignatureSchemes` though.  It might be that simple, but I think the selection code is complex enough and there are enough edge cases to test that this PR might not be the place to address this.  We probably need a separate bug to deal with this one.


PR: https://git.openjdk.org/jdk/pull/9140

More information about the security-dev mailing list