RFR: 8365820: Apply certificate scope constraints to algorithms in "signature_algorithms" extension when "signature_algorithms_cert" extension is not being sent [v6]

Wed Sep 24 01:31:24 UTC 2025

On Mon, 22 Sep 2025 20:52:56 GMT, Artur Barashev <abarashev at openjdk.org> wrote:

>> test/jdk/sun/security/ssl/SignatureScheme/DisableCertSignAlgsExtForServerTLS13.java line 131:
>> 
>>> 129:                                     // instead, depends on network setup.
>>> 130:                                     || ex instanceof SocketException));
>>> 131:                         }
>> 
>> Here for TLS 1.3, handshake always fails because SHA256withRSA is not allowed for client certificates. Would you consider adding a positive test for TLS 1.3 with a client certificate signed with RSASSA-PSS so we could test handshake will succeed as the client complies?
>
> Actually SHA256withRSA is not allowed for handshake signatures in TLSv1.3, I made a mistake in the test's comment about it which is now corrected. Otherwise I have added a positive test case, good suggestion!

Update looks good.

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/26887#discussion_r2373824682