RFR: 8367104: Check for RSASSA-PSS parameters when validating certificates against algorithm constraints [v2]
Sean Mullan
mullan at openjdk.org
Tue Sep 9 16:49:07 UTC 2025
On Mon, 8 Sep 2025 21:56:55 GMT, Artur Barashev <abarashev at openjdk.org> wrote:
>> RSASSA-PSS is currently the only signature algorithm we support that comes with algorithm parameters. We don't check for those parameters when validating certificates against algorithm constraints.
>
> Artur Barashev has updated the pull request incrementally with one additional commit since the last revision:
>
> More test cases
src/java.base/share/classes/sun/security/ssl/SSLAlgorithmConstraints.java line 52:
> 50:
> 51: public enum SIGNATURE_CONSTRAINTS_MODE {
> 52: NONE, // Don't check against any supported signatures
Do we need NONE? I don't see it used anywhere.
src/java.base/share/classes/sun/security/ssl/SSLAlgorithmConstraints.java line 311:
> 309: supportedAlgorithms = null;
> 310: supportedSignatureSchemes = null;
> 311: checksDisabled = false;
Not necessary to initialize, those are the defaults.
src/java.base/share/classes/sun/security/ssl/SSLAlgorithmConstraints.java line 422:
> 420: } catch (InvalidParameterSpecException e) {
> 421: throw new IllegalArgumentException(
> 422: "Invalid AlgorithmParameters", e);
I'd be more inclined to log a warning message here, but otherwise return true. This case should only occur if the RSASSS-PSS key is from some 3rd party provider that doesn't implement `AlgorithmParameters` correctly. I don't think that should result in a runtime exception - those should only be thrown if there is an issue with the `java.security` syntax for the disabled properties.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/27146#discussion_r2334116853
PR Review Comment: https://git.openjdk.org/jdk/pull/27146#discussion_r2334173269
PR Review Comment: https://git.openjdk.org/jdk/pull/27146#discussion_r2334202795
More information about the security-dev
mailing list