RFR: 8366211: Block signature scheme names to be used with CertificateSignature algorithm constraints usage [v2]

Sean Mullan mullan at openjdk.org
Thu Sep 4 17:39:44 UTC 2025 

On Thu, 28 Aug 2025 21:37:22 GMT, Artur Barashev <abarashev at openjdk.org> wrote:

>> To avoid any user confusion, we should block signature scheme names to be used with `CertificateSignature` algorithm constraints usage. For example, `RSASSA-PSS` certificate signature algorithm corresponds to multiple signature scheme names and blocking one of those signature scheme with `CertificateSignature` usage directive won't block `RSASSA-PSS` certificate signature because other rsa_pss_* signature schemes still will be allowed. We should direct users to use certificate signature algorithm with `CertificateSignature` usage directive. For example:
>> 
>> - To be blocked: "rsa_pss_pss_sha256 usage CertificateSignature"
>> - To be allowed: `RSASSA-PSS usage CertificateSignature` or `RSA usage CertificateSignature`
>
> Artur Barashev has updated the pull request incrementally with one additional commit since the last revision:
> 
>   Fix string concatenation alignment. Use upper-case characters in the test signature scheme name.

src/java.base/share/conf/security/java.security line 764:

> 762: #       - rsa_pkcs1_sha1 usage HandshakeSignature
> 763: #       - SHA1withRSA usage CertificateSignature
> 764: #

I suggest we also include more details on the acceptable algorithms for HandshakeSignature. I suggest rewording something like:

> HandshakeSignature restricts the use of the algorithm in TLS handshake signatures. The algorithm is the name of the TLS signature scheme as specified in the Signature Schemes section of the Java Security Standard Algorithm Names specification.
> 
> CertificateSignature restricts the use of the algorithm in certificate signatures. The algorithm is the name of a java.security.Signature algorithm as specifed in the Signature Algorithms section of the Java Security Standard Algorithm Names specification.
> 
> An algorithm with the HandshakeSignature or CertificateSignature constraint cannot include other usage types defined in the jdk.certpath.disabledAlgorithms  property. The usage type follows the keyword and more than one usage type can be specified with a whitespace delimiter.
> 

I don't think you need to say TLS signature schemes cannot be used with CertificateSignature as long as you are clear above as to what the acceptable algorithms are. Does HandshakeSignature only support TLS signature schemes or does it also support java.security.Signature algorithms?

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/26970#discussion_r2322934928

More information about the security-dev mailing list