On Thu, 28 Aug 2025 14:26:06 GMT, Mikhail Yankelevich
<[email protected]> wrote:
>> To avoid any user confusion, we should block signature scheme names to be
>> used with `CertificateSignature` algorithm constraints usage. For example,
>> `RSASSA-PSS` certificate signature algorithm corresponds to multiple
>> signature scheme names and blocking one of those signature scheme with
>> `CertificateSignature` usage directive won't block `RSASSA-PSS` certificate
>> signature because other rsa_pss_* signature schemes still will be allowed.
>> We should direct users to use certificate signature algorithm with
>> `CertificateSignature` usage directive. For example:
>>
>> - To be blocked: "rsa_pss_pss_sha256 usage CertificateSignature"
>> - To be allowed: `RSASSA-PSS usage CertificateSignature` or `RSA usage
>> CertificateSignature`
>
> test/jdk/sun/security/ssl/SignatureScheme/BlockSignatureSchemesForCert.java
> line 49:
>
>> 47: () -> new BlockSignatureSchemesForCert().run(),
>> 48: e -> {
>> 49: assertTrue(e instanceof ExceptionInInitializerError);
>
> nit: Do you think this might be a bit easier to read?
>
> Suggestion:
>
> assertTrue(e instanceof ExceptionInInitializerError);
> assertTrue(e.getCause() instanceof
> IllegalArgumentException);
> assertEquals(e.getCause().getMessage(),
> "Can't use signature scheme names with "
> + "CertificateSignature usage constraint");
1) We need to keep the line length under 80 characters.
2) The string concatenation alignment is a known issue with IntelliJ: `Binary
expressions: align when multiline` checkbox works great for concatenated
strings but not for multiline conditional statements. I'll try to fix it on the
next iteration.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/26970#discussion_r2307662129
