RFR: 8367104: Check for RSASSA-PSS parameters when validating certificates against algorithm constraints [v3]
Sean Mullan
mullan at openjdk.org
Tue Sep 9 19:15:34 UTC 2025
On Tue, 9 Sep 2025 16:37:02 GMT, Artur Barashev <abarashev at openjdk.org> wrote:
>> RSASSA-PSS is currently the only signature algorithm we support that comes with algorithm parameters. We don't check for those parameters when validating certificates against supported signature algorithm constraints.
>
> Artur Barashev has updated the pull request incrementally with one additional commit since the last revision:
>
> Address review comments
test/jdk/sun/security/ssl/SignatureScheme/RsaSsaPssConstraints.java line 1:
> 1: /*
How difficult would it be to add a test for "Rsa_pss_rsae_Sha384"? I think certificates with the rsaEncryption OID are much more common, so it would be good to add a test case for that.
test/jdk/sun/security/ssl/SignatureScheme/RsaSsaPssConstraints.java line 110:
> 108: algo + " usage CertificateSignature");
> 109:
> 110: for (String protocol : new String[]{"TLS", "TLSv1.2"}) {
I think you should test "TLSv1.3" specifically instead of "TLS", so we are sure this test is testing 1.3.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/27146#discussion_r2334531774
PR Review Comment: https://git.openjdk.org/jdk/pull/27146#discussion_r2334486554
More information about the security-dev
mailing list