Re: RFR: 8365820: Apply certificate scope constraints to algorithms in "signature_algorithms" extension when "signature_algorithms_cert" extension is not being sent [v7]

Sat, 18 Oct 2025 13:05:08 -0700 

On Mon, 22 Sep 2025 21:10:13 GMT, Artur Barashev <[email protected]> wrote:

>> [JDK-8349583](https://bugs.openjdk.org/browse/JDK-8349583) implementation 
>> assumes that OpenJDK client always sends "signature_algorithms_cert" 
>> extension together with "signature_algorithms" extension. But we didn't 
>> account for `jdk.tls.client.disableExtensions` and 
>> `jdk.tls.server.disableExtensions` system properties which can disable 
>> producing "signature_algorithms_cert" extension. This is an issue similar to 
>> [JDK-8355779](https://bugs.openjdk.org/browse/JDK-8355779) but on the 
>> extension producing side.
>> 
>> Per TLSv1.3 RFC:
>> 
>>>  If no "signature_algorithms_cert" extension is
>>>    present, then the "signature_algorithms" extension also applies to
>>>    signatures appearing in certificates.
>> 
>> Also making a few cosmetic changes to the existing code.
>
> Artur Barashev has updated the pull request with a new target base due to a 
> merge or a rebase. The incremental webrev excludes the unrelated changes 
> brought in by the merge/rebase. The pull request contains 10 additional 
> commits since the last revision:
> 
>  - Add a positive test case
>  - Merge branch 'master' into JDK-8365820
>  - Add a ticket number to unit tests
>  - Merge branch 'master' into JDK-8365820
>  - Add a server-side unit test. Rename existing tests.
>  - Update tests
>  - Revert "Include RSASSA-PKCS1-v1_5 and Legacy algorithms in 
> signature_algorithms for TLSv1.3"
>    
>    This reverts commit adc236be4bcac11614e2741c99545aa593f6af5b.
>  - Merge branch 'master' into JDK-8365820
>  - Include RSASSA-PKCS1-v1_5 and Legacy algorithms in signature_algorithms 
> for TLSv1.3
>  - 8365820: Apply certificate scope constraints to algorithms in 
> "signature_algorithms" extension when "signature_algorithms_cert" extension 
> is not being sent

The @summary in DisableCertSignAlgsExtForServerTLS13, 
DisableCertSignAlgsExtForClientTLS13, and DisableCertSignAlgsExtForClientTLS12 
are identical. Suggest to include difference from client or sever perspective, 
and protocol version.

-------------

PR Comment: https://git.openjdk.org/jdk/pull/26887#issuecomment-3326146117

Reply via email to