On Tue, 11 Feb 2025 17:50:45 GMT, Jamil Nimeh <jni...@openjdk.org> wrote:
> This fix makes some minor changes to the internals of the > `CertificateBuilder` and `SimpleOCSPServer` test classes. They would break > when ML-DSA was selected as key and signing algorithms. Also RSASSA-PSS > works better now with these changes. I've also taken this opportunity to do > some cleanup on CertificateBuilder and added a method which uses a default > signing algorithm based on the key, so the `build()` method no longer needs > to provide that algorithm (though one can if they wish for things like RSA > signatures if they want a different message digest in the signature). I see no reason why an ECDSA end-entity key wouldn't work when signed from an ML-DSA root. To be clear, this just fixes these test classes I wrote a long time ago where the creation of signatures on certs and OCSP responses just wasn't done in a manner as algorithm-neutral as I intended it to be. As far as I've seen since the inclusion of ML-DSA, CertPathValidator operations seem to work just fine. I haven't gone looking to see who in the 3rd party world is doing ML-DSA certs...the goal of this PR was to make sure that we could simply build those cert chains for use with our tests, especially where we needed an OCSP server. ------------- PR Comment: https://git.openjdk.org/jdk/pull/23566#issuecomment-2652318099
