On Thu, 11 Sep 2025 19:29:09 GMT, Sean Mullan <[email protected]> wrote:
>> Artur Barashev has updated the pull request with a new target base due to a >> merge or a rebase. The pull request now contains eight commits: >> >> - Merge branch 'master' into Check_RSASSA-PSS_cert_params >> >> # Conflicts: >> # >> src/java.base/share/classes/sun/security/ssl/X509KeyManagerCertChecking.java >> - Add a TrustManager check >> - Fix key algorithm bug. Add more test cases >> - Use null instead of SIGNATURE_CONSTRAINTS_MODE.NONE >> - Use default constraints if SIGNATURE_CONSTRAINTS_MODE is NONE. Log >> warning and return true on InvalidParameterSpecException >> - Address review comments >> - More test cases >> - 8367104: Check for RSASSA-PSS parameters when validating certificates >> against algorithm constraints > > src/java.base/share/classes/sun/security/ssl/SSLAlgorithmConstraints.java > line 312: > >> 310: checksDisabled = false; >> 311: >> 312: if (mode == null > > I can't find any code where `mode` can be `null`. There is no such code currently. But if somebody makes a call with `null` mode in the future it will create `SupportedSignatureAlgorithmConstraints` object that will always return `false` on permit calls because of the `if (supportedAlgorithms == null || supportedAlgorithms.isEmpty())` check below. So I think it makes sense to check for it here. ------------- PR Review Comment: https://git.openjdk.org/jdk/pull/27146#discussion_r2342197304
