RFR: 8349583: Add mechanism to disable signature schemes based on their TLS scope [v17]
Artur Barashev
abarashev at openjdk.org
Wed Mar 12 16:01:55 UTC 2025
> Currently when a signature scheme constraint is specified with "jdk.tls.disabledAlgorithms" property we don't differentiate between signatures used to sign a TLS handshake exchange and the signatures used in TLS certificates:
> https://datatracker.ietf.org/doc/html/rfc8446#section-4.2.3
Artur Barashev has updated the pull request with a new target base due to a merge or a rebase. The incremental webrev excludes the unrelated changes brought in by the merge/rebase. The pull request contains 20 additional commits since the last revision:
- Rename usage constraints to HandshakeSignature and CertificateSignature
- Merge branch 'master' into JDK-8349583
- Constraint description update
- Update constraint description
- Move SSLScope class description below the package
- Merge branch 'master' into JDK-8349583
- Remove the fix for JDK-8350807. Update documentation.
- Update documentation and unit tests to signal TLS scope case-insensitivity
- Update 2 more copyrights
- Update TLS version in one more unit test
- ... and 10 more: https://git.openjdk.org/jdk/compare/d9d07e80...3320ecbb
-------------
Changes:
- all: https://git.openjdk.org/jdk/pull/23681/files
- new: https://git.openjdk.org/jdk/pull/23681/files/32ec7810..3320ecbb
Webrevs:
- full: https://webrevs.openjdk.org/?repo=jdk&pr=23681&range=16
- incr: https://webrevs.openjdk.org/?repo=jdk&pr=23681&range=15-16
Stats: 67886 lines in 1361 files changed: 31053 ins; 24859 del; 11974 mod
Patch: https://git.openjdk.org/jdk/pull/23681.diff
Fetch: git fetch https://git.openjdk.org/jdk.git pull/23681/head:pull/23681
PR: https://git.openjdk.org/jdk/pull/23681
More information about the security-dev
mailing list