RFR: 8353113: Peer supported certificate signature algorithms are not being checked with default SunX509 key manager [v4]
Artur Barashev
abarashev at openjdk.org
Fri Jun 6 16:21:59 UTC 2025
On Thu, 5 Jun 2025 19:31:55 GMT, Sean Mullan <mullan at openjdk.org> wrote:
>> Artur Barashev has updated the pull request incrementally with one additional commit since the last revision:
>>
>> Make the test run on TLSv1.3
>
> test/jdk/sun/security/ssl/X509KeyManager/PeerConstraintsCheck.java line 1:
>
>> 1: /*
>
> I am trying to figure out when the algorithm constraints are enabled, why the key isn't being selected. I don't see anywhere that you are setting the algorithm constraints property.
>
> Please add some more comments explaining how the exception case occurs.
Hi @seanjmullan! This PR fixes both JDK-8353113 and JDK-8170706. So we have 2 new unit tests for each:
1. `AlgorithmConstraintsCheck`: tests JDK-8170706. BTW, I'm going to update the `@bug` tag in this test to `8170706`
2. `PeerConstraintsCheck`: tests JDK-8353113. No need to set any algorithm constraints because we test against the peer supported certificate signatures sent to us in "signature_algorithms"/"signature_algorithms_cert" extensions. I'll add a comment to this test with the explanation.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/25016#discussion_r2132486696
More information about the security-dev
mailing list