RFR: 8367104: Check for RSASSA-PSS parameters when validating certificates against algorithm constraints [v9]
Sean Mullan
mullan at openjdk.org
Fri Sep 12 13:21:35 UTC 2025
On Thu, 11 Sep 2025 22:06:10 GMT, Artur Barashev <abarashev at openjdk.org> wrote:
>> RSASSA-PSS is currently the only signature algorithm we support that comes with algorithm parameters. We don't check for those parameters when validating certificates against supported signature algorithm constraints.
>
> Artur Barashev has updated the pull request incrementally with one additional commit since the last revision:
>
> Update comments. Remove unnecessary variable assignments.
Looks good.
src/java.base/share/classes/sun/security/ssl/X509TrustManagerImpl.java line 475:
> 473: // Omit checks if EE cert is also a trust anchor
> 474: if (chain.length > 1) {
> 475: AlgorithmChecker checker = new AlgorithmChecker(
Another option would be to add this `AlgorithmChecker` as another checker in the `PKIXBuilderParameters` when instantiating a `PKIXValidator`, and then the `Validator` would just call this additional checker when validating the chain. But this is a bit more complicated because the caller can pass in their own `PKIXBuilderParameters`. But noting here for reference that it is another option.
-------------
Marked as reviewed by mullan (Reviewer).
PR Review: https://git.openjdk.org/jdk/pull/27146#pullrequestreview-3216635377
PR Review Comment: https://git.openjdk.org/jdk/pull/27146#discussion_r2344242058
More information about the security-dev
mailing list