On Tue, 17 Nov 2020 19:07:33 GMT, Xue-Lei Andrew Fan <xue...@openjdk.org> wrote:
>> Hello all, >> This change brings in support for certificates with EdDSA keys (both Ed25519 >> and Ed448) allowing those signature algorithms to be used both on the >> certificates themselves and used during the handshaking process for messages >> like CertificateVerify, ServerKeyExchange and so forth. > > test/jdk/javax/net/ssl/TLSCommon/TLSWithEdDSA.java line 583: > >> 581: serverParameters.put(ParamType.CERTALIAS, "EE_ED25519"); >> 582: runtest(testFormat, isPeerEd25519, null, null, null); >> 583: serverParameters.remove(ParamType.CERTALIAS); > > I did not get the idea here. Is there a special case in practice that use a > similar key manger like the AliasKeyManager? Right now, for TLS 1.0/1.1 EC certificates will be favored over EdDSA certificates in keystores that have valid certificates with both kinds of keys. There's nothing we can do about that because 1.0/1.1 has no signaling mechanism to indicate signature preference like 1.2+ has. Given that, I was thinking of ways to get around that restriction and one case I thought of was the Tomcat connector, which has options to specify a certificate for use by alias. I wanted to make sure that we could still do that for 1.0/1.1 and it wouldn't break so I cooked up this simple KeyManager and ran a basic connection, expecting to see the cert specified by the alias. ------------- PR: https://git.openjdk.java.net/jdk/pull/1197
