On Tue, 28 Apr 2026 19:44:44 GMT, Jamil Nimeh <[email protected]> wrote:
>> Artur Barashev has updated the pull request incrementally with one
>> additional commit since the last revision:
>>
>> Client side does not need a certificate
>
> test/jdk/sun/security/ssl/SignatureScheme/TLSCurveMismatch.java line 217:
>
>> 215: .addAuthorityKeyIdExt(caKey)
>> 216: .addKeyUsageExt(new boolean[]{
>> 217: true, true, true, true, true, true, true});
>
> For a TLS cert with an EC key on it, you shouldn't be setting CA key usage
> bit settings or things like encipher/decipherOnly. I'd just set bit 0
> (digitalSignature). Similar story for a CA, it needs bit 5/6 (certs/crls)
> but really nothing else...you could add digital signature too. I'm actually
> kinda surprised that the PKIX validator didn't have an issue with these
> wide-open bit settings.
Ok, I'll make the change for the purity of the test.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/30944#discussion_r3157471618
