On Mon, 8 Sep 2025 21:56:55 GMT, Artur Barashev <[email protected]> wrote:
>> RSASSA-PSS is currently the only signature algorithm we support that comes >> with algorithm parameters. We don't check for those parameters when >> validating certificates against algorithm constraints. > > Artur Barashev has updated the pull request incrementally with one additional > commit since the last revision: > > More test cases src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java line 1453: > 1451: } > 1452: > 1453: // try the best to check the algorithm constraints Not part of your change, but can you remove the words "try the best to" - those words make it sound like it will pass even if the constraint checks fail. Also on line 1478. src/java.base/share/classes/sun/security/ssl/SSLSessionImpl.java line 1408: > 1406: > 1407: /** > 1408: * Gets an array of supported signature schemes that the peer is s/an array/a collection/ src/java.base/share/classes/sun/security/ssl/SSLSessionImpl.java line 1409: > 1407: /** > 1408: * Gets an array of supported signature schemes that the peer is > 1409: * willing to verify. Those are sent with > "signature_algorithms_cert" s/with/with the/ ------------- PR Review Comment: https://git.openjdk.org/jdk/pull/27146#discussion_r2333935494 PR Review Comment: https://git.openjdk.org/jdk/pull/27146#discussion_r2333917670 PR Review Comment: https://git.openjdk.org/jdk/pull/27146#discussion_r2333918641
