On Wed, 17 Sep 2025 20:03:03 GMT, Artur Barashev <[email protected]> wrote:
>> RSASSA-PSS is currently the only signature algorithm we support that comes >> with algorithm parameters. We don't check for those parameters when >> validating certificates against supported signature algorithm constraints. > > Artur Barashev has updated the pull request incrementally with one additional > commit since the last revision: > > Remove unused import. Adjust comments. src/java.base/share/classes/sun/security/provider/certpath/PKIXCertPathValidator.java line 216: > 214: } > 215: > 216: // Set trust anchor for the user-specified AlgorithmChecker. AlgorithmChecker is an internal class, so probably won't be passed in by a user. Probably just say "any passed-in AlgorithmChecker". test/jdk/sun/security/ssl/SignatureScheme/RsaSsaPssConstraints.java line 1: > 1: /* Can you also add some tests which cause a `CertPathBuilder` to be used. i.e. via the `PKIXValidator.doBuild` method? I'd like to make sure the behavior is the same. You could try mixing up the order of the chain or throwing in a couple of unnecessary certificates. ------------- PR Review Comment: https://git.openjdk.org/jdk/pull/27146#discussion_r2356778213 PR Review Comment: https://git.openjdk.org/jdk/pull/27146#discussion_r2356792676
