RFR: 8367104: Check for RSASSA-PSS parameters when validating certificates against algorithm constraints [v8]
Sean Mullan
mullan at openjdk.org
Thu Sep 11 19:34:07 UTC 2025
On Thu, 11 Sep 2025 15:48:07 GMT, Artur Barashev <abarashev at openjdk.org> wrote:
>> RSASSA-PSS is currently the only signature algorithm we support that comes with algorithm parameters. We don't check for those parameters when validating certificates against supported signature algorithm constraints.
>
> Artur Barashev has updated the pull request with a new target base due to a merge or a rebase. The pull request now contains eight commits:
>
> - Merge branch 'master' into Check_RSASSA-PSS_cert_params
>
> # Conflicts:
> # src/java.base/share/classes/sun/security/ssl/X509KeyManagerCertChecking.java
> - Add a TrustManager check
> - Fix key algorithm bug. Add more test cases
> - Use null instead of SIGNATURE_CONSTRAINTS_MODE.NONE
> - Use default constraints if SIGNATURE_CONSTRAINTS_MODE is NONE. Log warning and return true on InvalidParameterSpecException
> - Address review comments
> - More test cases
> - 8367104: Check for RSASSA-PSS parameters when validating certificates against algorithm constraints
src/java.base/share/classes/sun/security/ssl/SSLAlgorithmConstraints.java line 312:
> 310: checksDisabled = false;
> 311:
> 312: if (mode == null
I can't find any code where `mode` can be `null`.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/27146#discussion_r2342134685
More information about the security-dev
mailing list