RFR: 8367104: Check for RSASSA-PSS parameters when validating certificates against algorithm constraints [v8]
Artur Barashev
abarashev at openjdk.org
Thu Sep 11 15:48:07 UTC 2025
> RSASSA-PSS is currently the only signature algorithm we support that comes with algorithm parameters. We don't check for those parameters when validating certificates against supported signature algorithm constraints.
Artur Barashev has updated the pull request with a new target base due to a merge or a rebase. The pull request now contains eight commits:
- Merge branch 'master' into Check_RSASSA-PSS_cert_params
# Conflicts:
# src/java.base/share/classes/sun/security/ssl/X509KeyManagerCertChecking.java
- Add a TrustManager check
- Fix key algorithm bug. Add more test cases
- Use null instead of SIGNATURE_CONSTRAINTS_MODE.NONE
- Use default constraints if SIGNATURE_CONSTRAINTS_MODE is NONE. Log warning and return true on InvalidParameterSpecException
- Address review comments
- More test cases
- 8367104: Check for RSASSA-PSS parameters when validating certificates against algorithm constraints
-------------
Changes: https://git.openjdk.org/jdk/pull/27146/files
Webrev: https://webrevs.openjdk.org/?repo=jdk&pr=27146&range=07
Stats: 580 lines in 8 files changed: 427 ins; 106 del; 47 mod
Patch: https://git.openjdk.org/jdk/pull/27146.diff
Fetch: git fetch https://git.openjdk.org/jdk.git pull/27146/head:pull/27146
PR: https://git.openjdk.org/jdk/pull/27146
More information about the security-dev
mailing list