RFR: 8288209: SSL debug message wrong about unsupported authentication scheme [v2]
Jamil Nimeh
jnimeh at openjdk.java.net
Tue Jun 14 22:50:43 UTC 2022
On Mon, 13 Jun 2022 16:30:36 GMT, Daniel Jeliński <djelinski at openjdk.org> wrote:
>> Weijun Wang has updated the pull request incrementally with one additional commit since the last revision:
>>
>> typo
>
> src/java.base/share/classes/sun/security/ssl/CertificateMessage.java line 1045:
>
>> 1043: }
>> 1044:
>> 1045: String[] supportedKeyTypes = hc.peerRequestedCertSignSchemes
>
> Preexisting, but shouldn't we use `peerRequestedSignatureSchemes` here? If I read [RFC 8446](https://datatracker.ietf.org/doc/html/rfc8446#section-4.4.2.2) correctly, `peerRequestedCertSignSchemes` only applies to how the certificates were signed; it does not limit the end-entity key type in any way.
It does appear that there is an issue here. Weijun and I have done a little playtesting with this and there are some cases where it isn't behaving as expected. I don't know if this can be solved as simply as using `peerRequestedSignatureSchemes` though. It might be that simple, but I think the selection code is complex enough and there are enough edge cases to test that this PR might not be the place to address this. We probably need a separate bug to deal with this one.
-------------
PR: https://git.openjdk.org/jdk/pull/9140
More information about the security-dev
mailing list