RFR: 8365820: Apply certificate scope constraints to algorithms in "signature_algorithms" extension when "signature_algorithms_cert" extension is not being sent [v4]

Artur Barashev abarashev at openjdk.org
Tue Aug 26 14:55:36 UTC 2025


On Tue, 26 Aug 2025 05:21:57 GMT, Nibedita Jena <duke at openjdk.org> wrote:

>> Artur Barashev has updated the pull request incrementally with two additional commits since the last revision:
>> 
>>  - Update tests
>>  - Revert "Include RSASSA-PKCS1-v1_5 and Legacy algorithms in signature_algorithms for TLSv1.3"
>>    
>>    This reverts commit adc236be4bcac11614e2741c99545aa593f6af5b.
>
> test/jdk/sun/security/ssl/SignatureScheme/DisableSignatureSchemePerScopeTLS12.java line 138:
> 
>> 136:         // signature_algorithms_cert extension MUST NOT contain disabled
>> 137:         // certificate signature scheme.
>> 138:         assertFalse(sigAlgsCertSS.contains(CERTIFICATE_DISABLED_SIG),
> 
> If `jdk.tls.client.disableExtensions=signature_algorithms_cert` is used, then the given extension wont be present, it will fail here

Correct, [DisableSignatureSchemePerScopeNoClientCertSignAlgsExtTLS12.java](https://github.com/openjdk/jdk/pull/26887/files#diff-4e93ab75d50e906c41e810114260fa3ca601f2fe554990578feaf9406e94687a) tests this scenario.

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/26887#discussion_r2301266657


More information about the security-dev mailing list