RFR: 8366211: Block signature scheme names to be used with CertificateSignature algorithm constraints usage [v2]

Artur Barashev abarashev at openjdk.org
Thu Aug 28 21:37:22 UTC 2025


> To avoid any user confusion, we should block signature scheme names to be used with `CertificateSignature` algorithm constraints usage. For example, `RSASSA-PSS` certificate signature algorithm corresponds to multiple signature scheme names and blocking one of those signature scheme with `CertificateSignature` usage directive won't block `RSASSA-PSS` certificate signature because other rsa_pss_* signature schemes still will be allowed. We should direct users to use certificate signature algorithm with `CertificateSignature` usage directive. For example:
> 
> - To be blocked: "rsa_pss_pss_sha256 usage CertificateSignature"
> - To be allowed: `RSASSA-PSS usage CertificateSignature` or `RSA usage CertificateSignature`

Artur Barashev has updated the pull request incrementally with one additional commit since the last revision:

  Fix string concatenation alignment. Use upper-case characters in the test signature scheme name.

-------------

Changes:
  - all: https://git.openjdk.org/jdk/pull/26970/files
  - new: https://git.openjdk.org/jdk/pull/26970/files/2e23755a..704a70f6

Webrevs:
 - full: https://webrevs.openjdk.org/?repo=jdk&pr=26970&range=01
 - incr: https://webrevs.openjdk.org/?repo=jdk&pr=26970&range=00-01

  Stats: 7 lines in 2 files changed: 0 ins; 0 del; 7 mod
  Patch: https://git.openjdk.org/jdk/pull/26970.diff
  Fetch: git fetch https://git.openjdk.org/jdk.git pull/26970/head:pull/26970

PR: https://git.openjdk.org/jdk/pull/26970


More information about the security-dev mailing list