RFR: 8365820: Apply certificate scope constraints to algorithms in "signature_algorithms" extension when "signature_algorithms_cert" extension is not being sent [v5]
Artur Barashev
abarashev at openjdk.org
Tue Sep 16 18:25:08 UTC 2025
On Wed, 10 Sep 2025 15:41:42 GMT, Hai-May Chao <hchao at openjdk.org> wrote:
>> Artur Barashev has updated the pull request incrementally with one additional commit since the last revision:
>>
>> Add a server-side unit test. Rename existing tests.
>
> src/java.base/share/classes/sun/security/ssl/SignatureAlgorithmsExtension.java line 551:
>
>> 549: sigAlgs.retainAll(hc.localSupportedCertSignAlgs);
>> 550: }
>> 551:
>
> The `sigAlgs` may include handshake scope and certificate scope. Suggest to add a debug log to list the produced signature algorithms.
We actually already log the content of the `signature_algorithms` extension in `ClientHello` and `CertificateRequest` messages.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/26887#discussion_r2353306435
More information about the security-dev
mailing list