RFR: 8367104: Check for RSASSA-PSS parameters when validating certificates against algorithm constraints [v11]
Sean Mullan
mullan at openjdk.org
Wed Sep 17 21:14:20 UTC 2025
On Wed, 17 Sep 2025 20:03:03 GMT, Artur Barashev <abarashev at openjdk.org> wrote:
>> RSASSA-PSS is currently the only signature algorithm we support that comes with algorithm parameters. We don't check for those parameters when validating certificates against supported signature algorithm constraints.
>
> Artur Barashev has updated the pull request incrementally with one additional commit since the last revision:
>
> Remove unused import. Adjust comments.
src/java.base/share/classes/sun/security/provider/certpath/PKIXCertPathValidator.java line 216:
> 214: }
> 215:
> 216: // Set trust anchor for the user-specified AlgorithmChecker.
AlgorithmChecker is an internal class, so probably won't be passed in by a user. Probably just say "any passed-in AlgorithmChecker".
test/jdk/sun/security/ssl/SignatureScheme/RsaSsaPssConstraints.java line 1:
> 1: /*
Can you also add some tests which cause a `CertPathBuilder` to be used. i.e. via the `PKIXValidator.doBuild` method? I'd like to make sure the behavior is the same. You could try mixing up the order of the chain or throwing in a couple of unnecessary certificates.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/27146#discussion_r2356778213
PR Review Comment: https://git.openjdk.org/jdk/pull/27146#discussion_r2356792676
More information about the security-dev
mailing list