RFR: 8367104: Check for RSASSA-PSS parameters when validating certificates against algorithm constraints [v9]
Artur Barashev
abarashev at openjdk.org
Fri Sep 12 18:16:11 UTC 2025
On Fri, 12 Sep 2025 13:18:25 GMT, Sean Mullan <mullan at openjdk.org> wrote:
>> Artur Barashev has updated the pull request incrementally with one additional commit since the last revision:
>>
>> Update comments. Remove unnecessary variable assignments.
>
> src/java.base/share/classes/sun/security/ssl/X509TrustManagerImpl.java line 475:
>
>> 473: // Omit checks if EE cert is also a trust anchor
>> 474: if (chain.length > 1) {
>> 475: AlgorithmChecker checker = new AlgorithmChecker(
>
> Another option would be to add this `AlgorithmChecker` as another checker in the `PKIXBuilderParameters` when instantiating a `PKIXValidator`, and then the `Validator` would just call this additional checker when validating the chain. But this is a bit more complicated because the caller can pass in their own `PKIXBuilderParameters`. But noting here for reference that it is another option.
I put together an alternative solution that avoids duplicate calls:
https://github.com/openjdk/jdk/pull/27262/files#diff-c691895596058f5eb4ec609c75ad83ef4a16da85ce6f3499ca89ef412eab15bf
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/27146#discussion_r2345080596
More information about the security-dev
mailing list