On Thu, 11 Sep 2025 15:48:07 GMT, Artur Barashev <abaras...@openjdk.org> wrote:
>> RSASSA-PSS is currently the only signature algorithm we support that comes >> with algorithm parameters. We don't check for those parameters when >> validating certificates against supported signature algorithm constraints. > > Artur Barashev has updated the pull request with a new target base due to a > merge or a rebase. The pull request now contains eight commits: > > - Merge branch 'master' into Check_RSASSA-PSS_cert_params > > # Conflicts: > # > src/java.base/share/classes/sun/security/ssl/X509KeyManagerCertChecking.java > - Add a TrustManager check > - Fix key algorithm bug. Add more test cases > - Use null instead of SIGNATURE_CONSTRAINTS_MODE.NONE > - Use default constraints if SIGNATURE_CONSTRAINTS_MODE is NONE. Log warning > and return true on InvalidParameterSpecException > - Address review comments > - More test cases > - 8367104: Check for RSASSA-PSS parameters when validating certificates > against algorithm constraints src/java.base/share/classes/sun/security/ssl/SSLAlgorithmConstraints.java line 312: > 310: checksDisabled = false; > 311: > 312: if (mode == null I can't find any code where `mode` can be `null`. ------------- PR Review Comment: https://git.openjdk.org/jdk/pull/27146#discussion_r2342134685
