On Mon, 28 Apr 2025 21:31:49 GMT, Artur Barashev <abaras...@openjdk.org> wrote:
> Per TLSv1.3 RFC: > > > If no "signature_algorithms_cert" extension is > present, then the "signature_algorithms" extension also applies to > signatures appearing in certificates. > > > When no "signature_algorithms_cert" extension is present in ClientHello we > simply copy "signature_algorithms" extension algorithms already filtered with > HANDSHAKE_SCOPE to `peerRequestedCertSignSchemes`. Instead we should filter > "signature_algorithms" extension algorithms with CERTIFICATE_SCOPE as certain > algorithms are allowed to be used in certificate signatures but not in > handshake signatures. This pull request has now been integrated. Changeset: 34807df7 Author: Artur Barashev <abaras...@openjdk.org> Committer: Sean Mullan <mul...@openjdk.org> URL: https://git.openjdk.org/jdk/commit/34807df7627b067f750578987c941213a5f8336a Stats: 95 lines in 1 file changed: 47 ins; 44 del; 4 mod 8355779: When no "signature_algorithms_cert" extension is present we do not apply certificate scope constraints to algorithms in "signature_algorithms" extension Reviewed-by: mullan ------------- PR: https://git.openjdk.org/jdk/pull/24939
