RFR: 8365820: Apply certificate scope constraints to algorithms in "signature_algorithms" extension when "signature_algorithms_cert" extension is not being sent [v3]
Artur Barashev
abarashev at openjdk.org
Fri Aug 22 02:02:39 UTC 2025
> [JDK-8349583](https://bugs.openjdk.org/browse/JDK-8349583) implementation assumes that OpenJDK client always sends "signature_algorithms_cert" extension together with "signature_algorithms" extension. But we didn't account for `jdk.tls.client.disableExtensions` and `jdk.tls.server.disableExtensions` system properties which can disable producing "signature_algorithms_cert" extension. This is an issue similar to [JDK-8355779](https://bugs.openjdk.org/browse/JDK-8355779) but on the extension producing side.
>
> Per TLSv1.3 RFC:
>
>> If no "signature_algorithms_cert" extension is
>> present, then the "signature_algorithms" extension also applies to
>> signatures appearing in certificates.
>
> Also making a few cosmetic changes to the existing code.
Artur Barashev has updated the pull request with a new target base due to a merge or a rebase. The incremental webrev excludes the unrelated changes brought in by the merge/rebase. The pull request contains three additional commits since the last revision:
- Merge branch 'master' into JDK-8365820
- Include RSASSA-PKCS1-v1_5 and Legacy algorithms in signature_algorithms for TLSv1.3
- 8365820: Apply certificate scope constraints to algorithms in "signature_algorithms" extension when "signature_algorithms_cert" extension is not being sent
-------------
Changes:
- all: https://git.openjdk.org/jdk/pull/26887/files
- new: https://git.openjdk.org/jdk/pull/26887/files/adc236be..c7f84138
Webrevs:
- full: https://webrevs.openjdk.org/?repo=jdk&pr=26887&range=02
- incr: https://webrevs.openjdk.org/?repo=jdk&pr=26887&range=01-02
Stats: 35201 lines in 1054 files changed: 20695 ins; 10476 del; 4030 mod
Patch: https://git.openjdk.org/jdk/pull/26887.diff
Fetch: git fetch https://git.openjdk.org/jdk.git pull/26887/head:pull/26887
PR: https://git.openjdk.org/jdk/pull/26887
More information about the security-dev
mailing list