RFR: 8349583: Add mechanism to disable signature schemes based on their TLS scope [v13]

Sean Mullan mullan at openjdk.org
Thu Mar 6 21:59:05 UTC 2025 

On Thu, 6 Mar 2025 20:36:24 GMT, Artur Barashev <abarashev at openjdk.org> wrote:

>> Currently when a signature scheme constraint is specified with "jdk.tls.disabledAlgorithms" property we don't differentiate between signatures used to sign a TLS handshake exchange and the signatures used in TLS certificates:
>> https://datatracker.ietf.org/doc/html/rfc8446#section-4.2.3
>
> Artur Barashev has updated the pull request with a new target base due to a merge or a rebase. The incremental webrev excludes the unrelated changes brought in by the merge/rebase. The pull request contains 15 additional commits since the last revision:
> 
>  - Merge branch 'master' into JDK-8349583
>  - Remove the fix for JDK-8350807. Update documentation.
>  - Update documentation and unit tests to signal TLS scope case-insensitivity
>  - Update 2 more copyrights
>  - Update TLS version in one more unit test
>  - - Check signature schemes that are enabled specifically for the handshake when HANDSHAKE_SCOPE is specified
>    - Update copyright
>    - Update HTTPS tests that are broken because we also fix JDK-8350807 on the server side as a side-effect
>  - Revert "Restore original arguments for getSupportedAlgorithms() calls"
>    
>    This reverts commit 4b335619ee6a79a6f609fe98c5339588a6a1342a.
>  - Restore original arguments for getSupportedAlgorithms() calls
>  - - Refactor code to use existing "usage" constraint.
>    - Rename SSLCryptoScope to SSLScope, make it public.
>  - Merge branch 'master' into JDK-8349583
>  - ... and 5 more: https://git.openjdk.org/jdk/compare/3c2b5ff5...7a786e0d

src/java.base/share/classes/sun/security/ssl/SSLScope.java line 28:

> 26: /*
> 27:  * Scopes defining different parts of TLS protocol.
> 28:  */

Can you move the class description below the package?

src/java.base/share/classes/sun/security/ssl/SSLScope.java line 39:

> 37: 
> 38:     // Note: the SSLScope is case-insensitive.
> 39:     public static SSLScope nameOf(String name) {

`valueOf` is probably a better name, and used by other Enum classes for this pattern.

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/23681#discussion_r1984099438
PR Review Comment: https://git.openjdk.org/jdk/pull/23681#discussion_r1984106156

More information about the security-dev mailing list