On Thu, 28 Aug 2025 21:37:22 GMT, Artur Barashev <[email protected]> wrote:
>> To avoid any user confusion, we should block signature scheme names to be >> used with `CertificateSignature` algorithm constraints usage. For example, >> `RSASSA-PSS` certificate signature algorithm corresponds to multiple >> signature scheme names and blocking one of those signature scheme with >> `CertificateSignature` usage directive won't block `RSASSA-PSS` certificate >> signature because other rsa_pss_* signature schemes still will be allowed. >> We should direct users to use certificate signature algorithm with >> `CertificateSignature` usage directive. For example: >> >> - To be blocked: "rsa_pss_pss_sha256 usage CertificateSignature" >> - To be allowed: `RSASSA-PSS usage CertificateSignature` or `RSA usage >> CertificateSignature` > > Artur Barashev has updated the pull request incrementally with one additional > commit since the last revision: > > Fix string concatenation alignment. Use upper-case characters in the test > signature scheme name. src/java.base/share/classes/sun/security/util/DisabledAlgorithmConstraints.java line 822: > 820: // We avoid calling back the SSL layer to get these names > because of > 821: // the circular dependency. > 822: private static final Set<String> BLOCKED_FOR_CERT_SCOPE = Set.of( Will we need to update the list whenever a new scheme is introduced? I've noticed all names contain an underscore and IIRC no standard name of a Signature has it. Do you think we can just check for the underscore character as a heuristic? ------------- PR Review Comment: https://git.openjdk.org/jdk/pull/26970#discussion_r2322237448
