On Thu, 4 Sep 2025 17:37:06 GMT, Sean Mullan <[email protected]> wrote:
>> Artur Barashev has updated the pull request incrementally with one >> additional commit since the last revision: >> >> Fix string concatenation alignment. Use upper-case characters in the test >> signature scheme name. > > src/java.base/share/conf/security/java.security line 764: > >> 762: # - rsa_pkcs1_sha1 usage HandshakeSignature >> 763: # - SHA1withRSA usage CertificateSignature >> 764: # > > I suggest we also include more details on the acceptable algorithms for > HandshakeSignature. I suggest rewording something like: > >> HandshakeSignature restricts the use of the algorithm in TLS handshake >> signatures. The algorithm is the name of the TLS signature scheme as >> specified in the Signature Schemes section of the Java Security Standard >> Algorithm Names specification. >> >> CertificateSignature restricts the use of the algorithm in certificate >> signatures. The algorithm is the name of a java.security.Signature algorithm >> as specifed in the Signature Algorithms section of the Java Security >> Standard Algorithm Names specification. >> >> An algorithm with the HandshakeSignature or CertificateSignature constraint >> cannot include other usage types defined in the >> jdk.certpath.disabledAlgorithms property. The usage type follows the >> keyword and more than one usage type can be specified with a whitespace >> delimiter. >> > > I don't think you need to say TLS signature schemes cannot be used with > CertificateSignature as long as you are clear above as to what the acceptable > algorithms are. Does HandshakeSignature only support TLS signature schemes or > does it also support java.security.Signature algorithms? Both `HandshakeSignature` and `CertificateSignature` currently support 3 kinds of algorithms as defined in `SignatureScheme.java`: - Signature Schemes - Signature Algorithms - Signature Key Algorithm With this PR we are blocking `Signature Schemes` for `CertificateSignature`. Also, we don't do any algorithm decomposing for usage constraint, i.e. no sub-element matching as described in `jdk.certpath.disabledAlgorithms` documentation in `java.security`. That could be another point of confusion. ------------- PR Review Comment: https://git.openjdk.org/jdk/pull/26970#discussion_r2323049989
