On Wed, 27 Aug 2025 19:04:20 GMT, Artur Barashev <abaras...@openjdk.org> wrote:
> To avoid any user confusion, we should block signature scheme names to be
> used with `CertificateSignature` algorithm constraints usage. For example,
> `RSASSA-PSS` certificate signature algorithm corresponds to multiple
> signature scheme names and blocking one of those signature scheme with
> `CertificateSignature` usage directive won't block `RSASSA-PSS` certificate
> signature because other rsa_pss_* signature schemes still will be allowed. We
> should direct users to use certificate signature algorithm with
> `CertificateSignature` usage directive. For example:
>
> - To be blocked: "rsa_pss_pss_sha256 usage CertificateSignature"
> - To be allowed: `RSASSA-PSS usage CertificateSignature` or `RSA usage
> CertificateSignature`
test/jdk/sun/security/ssl/SignatureScheme/BlockSignatureSchemesForCert.java
line 46:
> 44: "rsa_pss_pss_sha256 usage CertificateSignature");
> 45:
> 46: runAndCheckException(
Minor: could you please make it `Utils.runAndCheckException` if there are going
to be changes? Not worth another commit on it's own, but would improve the
readability imo
test/jdk/sun/security/ssl/SignatureScheme/BlockSignatureSchemesForCert.java
line 49:
> 47: () -> new BlockSignatureSchemesForCert().run(),
> 48: e -> {
> 49: assertTrue(e instanceof ExceptionInInitializerError);
nit: Do you think this might be a bit easier to read?
Suggestion:
assertTrue(e instanceof ExceptionInInitializerError);
assertTrue(e.getCause() instanceof
IllegalArgumentException);
assertEquals(e.getCause().getMessage(),
"Can't use signature scheme names with "
+ "CertificateSignature usage constraint");
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/26970#discussion_r2307485228
PR Review Comment: https://git.openjdk.org/jdk/pull/26970#discussion_r2307586777
