RFR: 8371721: Refactor checkTrusted methods in X509TrustManagerImpl [v4]
Sean Coffey
coffeys at openjdk.org
Thu Dec 11 18:58:08 UTC 2025
On Wed, 10 Dec 2025 20:54:09 GMT, Artur Barashev <abarashev at openjdk.org> wrote:
>> src/java.base/share/classes/sun/security/ssl/X509TrustManagerImpl.java line 210:
>>
>>> 208:
>>> 209: if (socket instanceof SSLSocket sslSocket && sslSocket.isConnected()) {
>>> 210: session = sslSocket.getHandshakeSession();
>>
>> subtle change in the refactoring now that the session non-null check is delayed until the new `findTrustedCertificate` call.
>> The `SSLAlgorithmConstraints.forEngine/forSocket/forQUIC` methods also reference the session before the `findTrustedCertificate` call . Have you ensured that a null session can't cause issue there ?
>
> Yes, we have a check for session not being null there: `session instanceof ExtendedSSLSession`
fair enough. SupportedSignatureAlgorithmConstraints constructor caters for this scenario at moment.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/28275#discussion_r2611715401
More information about the security-dev
mailing list