To avoid any user confusion, we should block signature scheme names to be used with `CertificateSignature` algorithm constraints usage. For example, `RSASSA-PSS` certificate signature algorithm corresponds to multiple signature scheme names and blocking one of those signature scheme with `CertificateSignature` usage directive won't block `RSASSA-PSS` certificate signature because other rsa_pss_* signature schemes still will be allowed. We should direct users to use certificate signature algorithm with `CertificateSignature` usage directive. For example:
- To be blocked: "rsa_pss_pss_sha256 usage CertificateSignature" - To be allowed: `RSASSA-PSS usage CertificateSignature` or `RSA usage CertificateSignature` ------------- Commit messages: - 8366211: Block signature scheme names to be used with CertificateSignature algorithm constraints usage Changes: https://git.openjdk.org/jdk/pull/26970/files Webrev: https://webrevs.openjdk.org/?repo=jdk&pr=26970&range=00 Issue: https://bugs.openjdk.org/browse/JDK-8366211 Stats: 117 lines in 5 files changed: 107 ins; 3 del; 7 mod Patch: https://git.openjdk.org/jdk/pull/26970.diff Fetch: git fetch https://git.openjdk.org/jdk.git pull/26970/head:pull/26970 PR: https://git.openjdk.org/jdk/pull/26970
