Integrated: 8365820: Apply certificate scope constraints to algorithms in "signature_algorithms" extension when "signature_algorithms_cert" extension is not being sent
Artur Barashev
abarashev at openjdk.org
Thu Sep 25 14:47:59 UTC 2025
On Thu, 21 Aug 2025 16:02:05 GMT, Artur Barashev <abarashev at openjdk.org> wrote:
> [JDK-8349583](https://bugs.openjdk.org/browse/JDK-8349583) implementation assumes that OpenJDK client always sends "signature_algorithms_cert" extension together with "signature_algorithms" extension. But we didn't account for `jdk.tls.client.disableExtensions` and `jdk.tls.server.disableExtensions` system properties which can disable producing "signature_algorithms_cert" extension. This is an issue similar to [JDK-8355779](https://bugs.openjdk.org/browse/JDK-8355779) but on the extension producing side.
>
> Per TLSv1.3 RFC:
>
>> If no "signature_algorithms_cert" extension is
>> present, then the "signature_algorithms" extension also applies to
>> signatures appearing in certificates.
>
> Also making a few cosmetic changes to the existing code.
This pull request has now been integrated.
Changeset: 569e7808
Author: Artur Barashev <abarashev at openjdk.org>
URL: https://git.openjdk.org/jdk/commit/569e78080b3c25c95d85e9e194626f95f86b9b10
Stats: 569 lines in 7 files changed: 516 ins; 33 del; 20 mod
8365820: Apply certificate scope constraints to algorithms in "signature_algorithms" extension when "signature_algorithms_cert" extension is not being sent
Reviewed-by: hchao
-------------
PR: https://git.openjdk.org/jdk/pull/26887
More information about the security-dev
mailing list