RFR: 8365820: Apply certificate scope constraints to algorithms in "signature_algorithms" extension when "signature_algorithms_cert" extension is not being sent [v6]

Artur Barashev abarashev at openjdk.org
Tue Sep 16 19:24:05 UTC 2025 

> [JDK-8349583](https://bugs.openjdk.org/browse/JDK-8349583) implementation assumes that OpenJDK client always sends "signature_algorithms_cert" extension together with "signature_algorithms" extension. But we didn't account for `jdk.tls.client.disableExtensions` and `jdk.tls.server.disableExtensions` system properties which can disable producing "signature_algorithms_cert" extension. This is an issue similar to [JDK-8355779](https://bugs.openjdk.org/browse/JDK-8355779) but on the extension producing side.
> 
> Per TLSv1.3 RFC:
> 
>>  If no "signature_algorithms_cert" extension is
>>    present, then the "signature_algorithms" extension also applies to
>>    signatures appearing in certificates.
> 
> Also making a few cosmetic changes to the existing code.

Artur Barashev has updated the pull request with a new target base due to a merge or a rebase. The incremental webrev excludes the unrelated changes brought in by the merge/rebase. The pull request contains eight additional commits since the last revision:

 - Add a ticket number to unit tests
 - Merge branch 'master' into JDK-8365820
 - Add a server-side unit test. Rename existing tests.
 - Update tests
 - Revert "Include RSASSA-PKCS1-v1_5 and Legacy algorithms in signature_algorithms for TLSv1.3"
   
   This reverts commit adc236be4bcac11614e2741c99545aa593f6af5b.
 - Merge branch 'master' into JDK-8365820
 - Include RSASSA-PKCS1-v1_5 and Legacy algorithms in signature_algorithms for TLSv1.3
 - 8365820: Apply certificate scope constraints to algorithms in "signature_algorithms" extension when "signature_algorithms_cert" extension is not being sent

-------------

Changes:
  - all: https://git.openjdk.org/jdk/pull/26887/files
  - new: https://git.openjdk.org/jdk/pull/26887/files/89867a60..b934cd1b

Webrevs:
 - full: https://webrevs.openjdk.org/?repo=jdk&pr=26887&range=05
 - incr: https://webrevs.openjdk.org/?repo=jdk&pr=26887&range=04-05

  Stats: 43636 lines in 1532 files changed: 26558 ins; 10380 del; 6698 mod
  Patch: https://git.openjdk.org/jdk/pull/26887.diff
  Fetch: git fetch https://git.openjdk.org/jdk.git pull/26887/head:pull/26887

PR: https://git.openjdk.org/jdk/pull/26887

More information about the security-dev mailing list