RFR: 8349583: Add mechanism to disable signature schemes based on their TLS scope [v19]
Sean Mullan
mullan at openjdk.org
Thu Mar 27 14:17:25 UTC 2025
On Mon, 24 Mar 2025 17:24:01 GMT, Artur Barashev <abarashev at openjdk.org> wrote:
>> Currently when a signature scheme constraint is specified with "jdk.tls.disabledAlgorithms" property we don't differentiate between signatures used to sign a TLS handshake exchange and the signatures used in TLS certificates:
>> https://datatracker.ietf.org/doc/html/rfc8446#section-4.2.3
>
> Artur Barashev has updated the pull request incrementally with one additional commit since the last revision:
>
> Fix java.security syntax. Remove whitespace.
src/java.base/share/classes/sun/security/ssl/SSLScope.java line 39:
> 37: CERTIFICATE_SIGNATURE("CertificateSignature");
> 38:
> 39: final String name;
Make this `private`.
src/java.base/share/conf/security/java.security line 747:
> 745: #
> 746: # UsageType:
> 747: # ([HandshakeSignature] | [CertificateSignature])
This needs to be updated to match CSR.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/23681#discussion_r2016768779
PR Review Comment: https://git.openjdk.org/jdk/pull/23681#discussion_r2016770978
More information about the security-dev
mailing list