RFR: 8367104: Check for RSASSA-PSS parameters when validating certificates against algorithm constraints [v10]
Sean Mullan
mullan at openjdk.org
Wed Sep 17 21:14:23 UTC 2025
On Wed, 17 Sep 2025 15:30:44 GMT, Artur Barashev <abarashev at openjdk.org> wrote:
>> RSASSA-PSS is currently the only signature algorithm we support that comes with algorithm parameters. We don't check for those parameters when validating certificates against supported signature algorithm constraints.
>
> Artur Barashev has updated the pull request incrementally with two additional commits since the last revision:
>
> - Cleaner certpath validation solution
> - Alternative solution for JDK-8367104
src/java.base/share/classes/sun/security/validator/PKIXValidator.java line 264:
> 262: X509Certificate last = chain[chain.length - 1];
> 263: X500Principal issuer = last.getIssuerX500Principal();
> 264: X500Principal subject = last.getSubjectX500Principal();
unused variable.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/27146#discussion_r2356795259
More information about the security-dev
mailing list