RFR: 8349583: Add mechanism to disable signature schemes based on their TLS scope [v19]
Sean Mullan
mullan at openjdk.org
Thu Mar 27 18:54:23 UTC 2025
On Mon, 24 Mar 2025 17:24:01 GMT, Artur Barashev <abarashev at openjdk.org> wrote:
>> Currently when a signature scheme constraint is specified with "jdk.tls.disabledAlgorithms" property we don't differentiate between signatures used to sign a TLS handshake exchange and the signatures used in TLS certificates:
>> https://datatracker.ietf.org/doc/html/rfc8446#section-4.2.3
>
> Artur Barashev has updated the pull request incrementally with one additional commit since the last revision:
>
> Fix java.security syntax. Remove whitespace.
test/jdk/sun/security/ssl/SignatureScheme/AbstractCheckSignatureSchemes.java line 77:
> 75: }
> 76:
> 77: protected String getProtocol() {
I'd be more inclined to make this abstract and force subclasses to override it.
test/jdk/sun/security/ssl/SignatureScheme/DisableSignatureSchemePerScopeTLS12.java line 52:
> 50: protected static final String DISABLED_CONSTRAINTS =
> 51: HANDSHAKE_DISABLED_SIG + " usage HandShakesignature, "
> 52: + CERTIFICATE_DISABLED_SIG + " usage certificateSignature";
Nit: s/certificateSignature/CertificateSignature/
test/jdk/sun/security/ssl/SignatureScheme/DisableSignatureSchemePerScopeTLS13.java line 42:
> 40:
> 41: public class DisableSignatureSchemePerScopeTLS13
> 42: extends DisableSignatureSchemePerScopeTLS12 {
It's a little odd this extends *TLS12 - did you consider extending `AbstractCheckSignatureSchemes` or was that too complicated?
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/23681#discussion_r2017434192
PR Review Comment: https://git.openjdk.org/jdk/pull/23681#discussion_r2017425885
PR Review Comment: https://git.openjdk.org/jdk/pull/23681#discussion_r2017440271
More information about the security-dev
mailing list