RFR: 8349583: Add mechanism to disable signature schemes based on their TLS scope [v21]
Sean Mullan
mullan at openjdk.org
Fri Mar 28 20:27:17 UTC 2025
On Fri, 28 Mar 2025 03:12:40 GMT, Artur Barashev <abarashev at openjdk.org> wrote:
>> Currently when a signature scheme constraint is specified with "jdk.tls.disabledAlgorithms" property we don't differentiate between signatures used to sign a TLS handshake exchange and the signatures used in TLS certificates:
>> https://datatracker.ietf.org/doc/html/rfc8446#section-4.2.3
>
> Artur Barashev has updated the pull request incrementally with one additional commit since the last revision:
>
> Update copyright year
A final review, just a couple of minor comments.
src/java.base/share/classes/sun/security/ssl/SignatureScheme.java line 221:
> 219:
> 220: // Handshake signature scope.
> 221: public static final Set<SSLScope> HANDSHAKE_SCOPE =
I think this constant and `CERTIFICATE_SCOPE` can be package-private.
src/java.base/share/classes/sun/security/ssl/SignatureScheme.java line 554:
> 552: // Returns true if this signature scheme is supported for the given
> 553: // protocol version and SSL scopes.
> 554: boolean isSupportedProtocol(ProtocolVersion version, Set<SSLScope> scopes) {
I think this method and `isAllowed` can be private.
-------------
PR Review: https://git.openjdk.org/jdk/pull/23681#pullrequestreview-2726622461
PR Review Comment: https://git.openjdk.org/jdk/pull/23681#discussion_r2019284852
PR Review Comment: https://git.openjdk.org/jdk/pull/23681#discussion_r2019286085
More information about the security-dev
mailing list