RFR: 8349583: Add mechanism to disable signature schemes based on their TLS scope [v3]

[Anthony Scarpino]

On Mon, 24 Feb 2025 18:47:44 GMT, Artur Barashev <abarashev at openjdk.org> wrote:

>     * Different code path and logic behind current `UsageConstraint` implementation. I think we discussed it already at our meeting and we agreed to intercept this special TLS usage before it's consumed by constraints class.

We may have had a different thought in deviating from `UsageConstraint`.  I didn't think a different processing path was necessary to handle this case, it was something like `UsageConstraint.permit(SSLCryptoScope)` could process this differently than the current `permit(ConstraintParameters)` as that was certificate related.

I don't see anything special about this constraint that needs special handling.

> 
>     * We can't just disregard a UsageConstraint that had a non-null nextConstraint, we can have multiple scopes.
> 
>     * The ampersand `&` is actually used between different constraints (`usage` and `keysize` for example). For the `usage` constraint we have a space-separated list of usages, and we can't mix TLS-specific usages with other usages.

If you are ok leaving `&` support, ok.  I remember you were concerned about it previously.

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/23681#discussion_r1968310981