RFR: 8366211: Block signature scheme names to be used with CertificateSignature algorithm constraints usage

Artur Barashev abarashev at openjdk.org
Thu Aug 28 14:53:43 UTC 2025


On Thu, 28 Aug 2025 14:26:06 GMT, Mikhail Yankelevich <myankelevich at openjdk.org> wrote:

>> To avoid any user confusion, we should block signature scheme names to be used with `CertificateSignature` algorithm constraints usage. For example, `RSASSA-PSS` certificate signature algorithm corresponds to multiple signature scheme names and blocking one of those signature scheme with `CertificateSignature` usage directive won't block `RSASSA-PSS` certificate signature because other rsa_pss_* signature schemes still will be allowed. We should direct users to use certificate signature algorithm with `CertificateSignature` usage directive. For example:
>> 
>> - To be blocked: "rsa_pss_pss_sha256 usage CertificateSignature"
>> - To be allowed: `RSASSA-PSS usage CertificateSignature` or `RSA usage CertificateSignature`
>
> test/jdk/sun/security/ssl/SignatureScheme/BlockSignatureSchemesForCert.java line 49:
> 
>> 47:                 () -> new BlockSignatureSchemesForCert().run(),
>> 48:                 e -> {
>> 49:                     assertTrue(e instanceof ExceptionInInitializerError);
> 
> nit: Do you think this might be a bit easier to read? 
> 
> Suggestion:
> 
>                     assertTrue(e instanceof ExceptionInInitializerError);
>                     assertTrue(e.getCause() instanceof IllegalArgumentException);
>                     assertEquals(e.getCause().getMessage(),
>                             "Can't use signature scheme names with "
>                             + "CertificateSignature usage constraint");

1) We need to keep the line length under 80 characters.
2) The string concatenation alignment is a known issue with IntelliJ: `Binary expressions: align when multiline` checkbox works great for concatenated strings but not for multiline conditional statements. I'll try to fix it on the next iteration.

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/26970#discussion_r2307662129


More information about the security-dev mailing list