On Mon, 30 Aug 2021 15:45:00 GMT, Xue-Lei Andrew Fan <[email protected]> wrote:
>> Good suggestion.
>>
>> One more thing: `checkedKeyTypes` only looks at `ss.keyAlgorithm`. I know
>> the other checks (`SignatureScheme.getPreferableAlgorithm` and
>> `X509Authentication.valueOf`) also only look at `ss.keyAlgorithm`, but are
>> we going to check for more (Ex: group name) later? In the meantime, I would
>> suggest changing the parameter type of these methods from `SignatureScheme`
>> to `String` so we know only `keyAlgorithm` is checked.
>
> Did you mean to change hc.peerRequestedCertSignSchemes to String? This field
> would be used for algorithm constraints and more parameters are required
> there.
No, I meant changing the type of the `certScheme` argument in
static SignatureScheme getPreferableAlgorithm(
AlgorithmConstraints constraints,
List<SignatureScheme> schemes,
SignatureScheme certScheme,
ProtocolVersion version) {
to `String`. Since we are only putting `ss.keyAlgorithm` value into the checked
type list, we need to make sure we only check on about `keyAlgorithm` now. My
concern is that suppose one day we decide to check on `ss.namedGroup` as well,
then we will remember to update this method and the checked list at the same
time.
-------------
PR: https://git.openjdk.java.net/jdk/pull/5257
