RFR: 8367104: Check for RSASSA-PSS parameters when validating certificates against algorithm constraints [v2]
Sean Mullan
mullan at openjdk.org
Tue Sep 9 15:05:47 UTC 2025
On Mon, 8 Sep 2025 21:56:55 GMT, Artur Barashev <abarashev at openjdk.org> wrote:
>> RSASSA-PSS is currently the only signature algorithm we support that comes with algorithm parameters. We don't check for those parameters when validating certificates against algorithm constraints.
>
> Artur Barashev has updated the pull request incrementally with one additional commit since the last revision:
>
> More test cases
src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java line 1453:
> 1451: }
> 1452:
> 1453: // try the best to check the algorithm constraints
Not part of your change, but can you remove the words "try the best to" - those words make it sound like it will pass even if the constraint checks fail. Also on line 1478.
src/java.base/share/classes/sun/security/ssl/SSLSessionImpl.java line 1408:
> 1406:
> 1407: /**
> 1408: * Gets an array of supported signature schemes that the peer is
s/an array/a collection/
src/java.base/share/classes/sun/security/ssl/SSLSessionImpl.java line 1409:
> 1407: /**
> 1408: * Gets an array of supported signature schemes that the peer is
> 1409: * willing to verify. Those are sent with "signature_algorithms_cert"
s/with/with the/
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/27146#discussion_r2333935494
PR Review Comment: https://git.openjdk.org/jdk/pull/27146#discussion_r2333917670
PR Review Comment: https://git.openjdk.org/jdk/pull/27146#discussion_r2333918641
More information about the security-dev
mailing list