RFR: 8365820: Apply certificate scope constraints to algorithms in "signature_algorithms" extension when "signature_algorithms_cert" extension is not being sent [v4]
Artur Barashev
abarashev at openjdk.org
Tue Aug 26 14:55:36 UTC 2025
On Tue, 26 Aug 2025 05:21:57 GMT, Nibedita Jena <duke at openjdk.org> wrote:
>> Artur Barashev has updated the pull request incrementally with two additional commits since the last revision:
>>
>> - Update tests
>> - Revert "Include RSASSA-PKCS1-v1_5 and Legacy algorithms in signature_algorithms for TLSv1.3"
>>
>> This reverts commit adc236be4bcac11614e2741c99545aa593f6af5b.
>
> test/jdk/sun/security/ssl/SignatureScheme/DisableSignatureSchemePerScopeTLS12.java line 138:
>
>> 136: // signature_algorithms_cert extension MUST NOT contain disabled
>> 137: // certificate signature scheme.
>> 138: assertFalse(sigAlgsCertSS.contains(CERTIFICATE_DISABLED_SIG),
>
> If `jdk.tls.client.disableExtensions=signature_algorithms_cert` is used, then the given extension wont be present, it will fail here
Correct, [DisableSignatureSchemePerScopeNoClientCertSignAlgsExtTLS12.java](https://github.com/openjdk/jdk/pull/26887/files#diff-4e93ab75d50e906c41e810114260fa3ca601f2fe554990578feaf9406e94687a) tests this scenario.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/26887#discussion_r2301266657
More information about the security-dev
mailing list