RFR: 8349583: Add mechanism to disable signature schemes based on their TLS scope [v7]
Sean Mullan
mullan at openjdk.org
Thu Feb 27 15:20:03 UTC 2025
On Wed, 26 Feb 2025 02:03:25 GMT, Artur Barashev <abarashev at openjdk.org> wrote:
>> Currently when a signature scheme constraint is specified with "jdk.tls.disabledAlgorithms" property we don't differentiate between signatures used to sign a TLS handshake exchange and the signatures used in TLS certificates:
>> https://datatracker.ietf.org/doc/html/rfc8446#section-4.2.3
>
> Artur Barashev has updated the pull request incrementally with one additional commit since the last revision:
>
> Restore original arguments for getSupportedAlgorithms() calls
This will also require a CSR for the new syntax in the jdk.tls.disabledAlgorithms property.
Some files are missing copyright updates.
src/java.base/share/classes/sun/security/ssl/CertificateMessage.java line 50:
> 48: import javax.security.auth.x500.X500Principal;
> 49: import static sun.security.ssl.ClientAuthType.CLIENT_AUTH_REQUIRED;
> 50: import static sun.security.ssl.SignatureScheme.CERTIFICATE_SCOPE;
This import is not needed.
-------------
PR Comment: https://git.openjdk.org/jdk/pull/23681#issuecomment-2688261276
PR Comment: https://git.openjdk.org/jdk/pull/23681#issuecomment-2688262794
PR Review Comment: https://git.openjdk.org/jdk/pull/23681#discussion_r1973800961
More information about the security-dev
mailing list