RFR: 8367104: Check for RSASSA-PSS parameters when validating certificates against algorithm constraints [v8]
Artur Barashev
abarashev at openjdk.org
Thu Sep 11 20:02:18 UTC 2025
On Thu, 11 Sep 2025 19:29:09 GMT, Sean Mullan <mullan at openjdk.org> wrote:
>> Artur Barashev has updated the pull request with a new target base due to a merge or a rebase. The pull request now contains eight commits:
>>
>> - Merge branch 'master' into Check_RSASSA-PSS_cert_params
>>
>> # Conflicts:
>> # src/java.base/share/classes/sun/security/ssl/X509KeyManagerCertChecking.java
>> - Add a TrustManager check
>> - Fix key algorithm bug. Add more test cases
>> - Use null instead of SIGNATURE_CONSTRAINTS_MODE.NONE
>> - Use default constraints if SIGNATURE_CONSTRAINTS_MODE is NONE. Log warning and return true on InvalidParameterSpecException
>> - Address review comments
>> - More test cases
>> - 8367104: Check for RSASSA-PSS parameters when validating certificates against algorithm constraints
>
> src/java.base/share/classes/sun/security/ssl/SSLAlgorithmConstraints.java line 312:
>
>> 310: checksDisabled = false;
>> 311:
>> 312: if (mode == null
>
> I can't find any code where `mode` can be `null`.
There is no such code currently. But if somebody makes a call with `null` mode in the future it will create `SupportedSignatureAlgorithmConstraints` object that will always return `false` on permit calls because of the `if (supportedAlgorithms == null || supportedAlgorithms.isEmpty())` check below. So I think it makes sense to check for it here.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/27146#discussion_r2342197304
More information about the security-dev
mailing list