Withdrawn: 8366211: Block signature scheme names to be used with CertificateSignature algorithm constraints usage
Artur Barashev
abarashev at openjdk.org
Mon Sep 8 15:36:19 UTC 2025
On Wed, 27 Aug 2025 19:04:20 GMT, Artur Barashev <abarashev at openjdk.org> wrote:
> To avoid any user confusion, we should block signature scheme names to be used with `CertificateSignature` algorithm constraints usage. For example, `RSASSA-PSS` certificate signature algorithm corresponds to multiple signature scheme names and blocking one of those signature scheme with `CertificateSignature` usage directive won't block `RSASSA-PSS` certificate signature because other rsa_pss_* signature schemes still will be allowed. We should direct users to use certificate signature algorithm with `CertificateSignature` usage directive. For example:
>
> - To be blocked: "rsa_pss_pss_sha256 usage CertificateSignature"
> - To be allowed: `RSASSA-PSS usage CertificateSignature` or `RSA usage CertificateSignature`
This pull request has been closed without being integrated.
-------------
PR: https://git.openjdk.org/jdk/pull/26970
More information about the security-dev
mailing list