RFR: 8349583: Add mechanism to disable signature schemes based on their TLS scope [v13]

Artur Barashev abarashev at openjdk.org
Thu Mar 6 20:36:24 UTC 2025 

> Currently when a signature scheme constraint is specified with "jdk.tls.disabledAlgorithms" property we don't differentiate between signatures used to sign a TLS handshake exchange and the signatures used in TLS certificates:
> https://datatracker.ietf.org/doc/html/rfc8446#section-4.2.3
> 
> Also fixing JDK-8350807 on the server side just as a side-effect, not a dedicated fix for that issue.

Artur Barashev has updated the pull request with a new target base due to a merge or a rebase. The incremental webrev excludes the unrelated changes brought in by the merge/rebase. The pull request contains 15 additional commits since the last revision:

 - Merge branch 'master' into JDK-8349583
 - Remove the fix for JDK-8350807. Update documentation.
 - Update documentation and unit tests to signal TLS scope case-insensitivity
 - Update 2 more copyrights
 - Update TLS version in one more unit test
 - - Check signature schemes that are enabled specifically for the handshake when HANDSHAKE_SCOPE is specified
   - Update copyright
   - Update HTTPS tests that are broken because we also fix JDK-8350807 on the server side as a side-effect
 - Revert "Restore original arguments for getSupportedAlgorithms() calls"
   
   This reverts commit 4b335619ee6a79a6f609fe98c5339588a6a1342a.
 - Restore original arguments for getSupportedAlgorithms() calls
 - - Refactor code to use existing "usage" constraint.
   - Rename SSLCryptoScope to SSLScope, make it public.
 - Merge branch 'master' into JDK-8349583
 - ... and 5 more: https://git.openjdk.org/jdk/compare/8e95f066...7a786e0d

-------------

Changes:
  - all: https://git.openjdk.org/jdk/pull/23681/files
  - new: https://git.openjdk.org/jdk/pull/23681/files/efb11851..7a786e0d

Webrevs:
 - full: https://webrevs.openjdk.org/?repo=jdk&pr=23681&range=12
 - incr: https://webrevs.openjdk.org/?repo=jdk&pr=23681&range=11-12

  Stats: 7401 lines in 193 files changed: 3664 ins; 3082 del; 655 mod
  Patch: https://git.openjdk.org/jdk/pull/23681.diff
  Fetch: git fetch https://git.openjdk.org/jdk.git pull/23681/head:pull/23681

PR: https://git.openjdk.org/jdk/pull/23681

More information about the security-dev mailing list