On Mon, 8 Sep 2025 21:56:55 GMT, Artur Barashev <abaras...@openjdk.org> wrote:
>> RSASSA-PSS is currently the only signature algorithm we support that comes
>> with algorithm parameters. We don't check for those parameters when
>> validating certificates against algorithm constraints.
>
> Artur Barashev has updated the pull request incrementally with one additional
> commit since the last revision:
>
> More test cases
src/java.base/share/classes/sun/security/ssl/SSLAlgorithmConstraints.java line
52:
> 50:
> 51: public enum SIGNATURE_CONSTRAINTS_MODE {
> 52: NONE, // Don't check against any supported signatures
Do we need NONE? I don't see it used anywhere.
src/java.base/share/classes/sun/security/ssl/SSLAlgorithmConstraints.java line
311:
> 309: supportedAlgorithms = null;
> 310: supportedSignatureSchemes = null;
> 311: checksDisabled = false;
Not necessary to initialize, those are the defaults.
src/java.base/share/classes/sun/security/ssl/SSLAlgorithmConstraints.java line
422:
> 420: } catch (InvalidParameterSpecException e) {
> 421: throw new IllegalArgumentException(
> 422: "Invalid AlgorithmParameters", e);
I'd be more inclined to log a warning message here, but otherwise return true.
This case should only occur if the RSASSS-PSS key is from some 3rd party
provider that doesn't implement `AlgorithmParameters` correctly. I don't think
that should result in a runtime exception - those should only be thrown if
there is an issue with the `java.security` syntax for the disabled properties.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/27146#discussion_r2334116853
PR Review Comment: https://git.openjdk.org/jdk/pull/27146#discussion_r2334173269
PR Review Comment: https://git.openjdk.org/jdk/pull/27146#discussion_r2334202795
