> Per TLSv1.3 RFC: > > > If no "signature_algorithms_cert" extension is > present, then the "signature_algorithms" extension also applies to > signatures appearing in certificates. > > > When no "signature_algorithms_cert" extension is present in ClientHello we > simply copy "signature_algorithms" extension algorithms already filtered with > HANDSHAKE_SCOPE to `peerRequestedCertSignSchemes`. Instead we should filter > "signature_algorithms" extension algorithms with CERTIFICATE_SCOPE as certain > algorithms are allowed to be used in certificate signatures but not in > handshake signatures.
Artur Barashev has updated the pull request incrementally with one additional commit since the last revision: Take "signature_algorithms_cert" extension as parameter ------------- Changes: - all: https://git.openjdk.org/jdk/pull/24939/files - new: https://git.openjdk.org/jdk/pull/24939/files/7d3b3eee..ae1b3060 Webrevs: - full: https://webrevs.openjdk.org/?repo=jdk&pr=24939&range=01 - incr: https://webrevs.openjdk.org/?repo=jdk&pr=24939&range=00-01 Stats: 8 lines in 1 file changed: 3 ins; 0 del; 5 mod Patch: https://git.openjdk.org/jdk/pull/24939.diff Fetch: git fetch https://git.openjdk.org/jdk.git pull/24939/head:pull/24939 PR: https://git.openjdk.org/jdk/pull/24939
