RFR: 8353113: Peer supported certificate signature algorithms are not being checked with default SunX509 key manager [v4]

Fri Jun 6 21:13:51 UTC 2025

On Fri, 6 Jun 2025 15:20:56 GMT, Sean Mullan <mullan at openjdk.org> wrote:

>> Artur Barashev has updated the pull request incrementally with one additional commit since the last revision:
>> 
>>   Make the test run on TLSv1.3
>
> src/java.base/share/classes/sun/security/ssl/SunX509KeyManagerImpl.java line 401:
> 
>> 399:                 continue;
>> 400:             }
>> 401: 
> 
> I think we should also call `CertType.check` here, like in `X509KeyManagerImpl`. Since this change is now only selecting certificates with algorithms that are not disabled, I think it also makes sense to select certificates that have the proper extensions, etc and will not cause subsequent certificate chain validation failures.
> 
> This means we would have to change the name of the property so that it isn't only about disabling constraints checking. Perhaps: `jdk.tls.keymanager.disableCertSelectionChecking`.

Yes, makes sense.

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/25016#discussion_r2132913338