RFR: 8366211: Block signature scheme names to be used with CertificateSignature algorithm constraints usage

Mikhail Yankelevich myankelevich at openjdk.org
Thu Aug 28 14:28:44 UTC 2025


On Wed, 27 Aug 2025 19:04:20 GMT, Artur Barashev <abarashev at openjdk.org> wrote:

> To avoid any user confusion, we should block signature scheme names to be used with `CertificateSignature` algorithm constraints usage. For example, `RSASSA-PSS` certificate signature algorithm corresponds to multiple signature scheme names and blocking one of those signature scheme with `CertificateSignature` usage directive won't block `RSASSA-PSS` certificate signature because other rsa_pss_* signature schemes still will be allowed. We should direct users to use certificate signature algorithm with `CertificateSignature` usage directive. For example:
> 
> - To be blocked: "rsa_pss_pss_sha256 usage CertificateSignature"
> - To be allowed: `RSASSA-PSS usage CertificateSignature` or `RSA usage CertificateSignature`

test/jdk/sun/security/ssl/SignatureScheme/BlockSignatureSchemesForCert.java line 46:

> 44:                 "rsa_pss_pss_sha256 usage CertificateSignature");
> 45: 
> 46:         runAndCheckException(

Minor: could you please make it `Utils.runAndCheckException` if there are going to be changes? Not worth another commit on it's own, but would improve the readability imo

test/jdk/sun/security/ssl/SignatureScheme/BlockSignatureSchemesForCert.java line 49:

> 47:                 () -> new BlockSignatureSchemesForCert().run(),
> 48:                 e -> {
> 49:                     assertTrue(e instanceof ExceptionInInitializerError);

nit: Do you think this might be a bit easier to read? 

Suggestion:

                    assertTrue(e instanceof ExceptionInInitializerError);
                    assertTrue(e.getCause() instanceof IllegalArgumentException);
                    assertEquals(e.getCause().getMessage(),
                            "Can't use signature scheme names with "
                            + "CertificateSignature usage constraint");

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/26970#discussion_r2307485228
PR Review Comment: https://git.openjdk.org/jdk/pull/26970#discussion_r2307586777


More information about the security-dev mailing list