-
Bug
-
Resolution: Unresolved
-
P4
-
None
-
24
-
None
-
Cause Known
When the deafult SunX509KeyManagerImpl is being used we are in violation of TLSv1.3 RFC spec because we ignore peer supported certificate signatures sent to us in "signature_algorithms"/"signature_algorithms_cert" extensions:
https://datatracker.ietf.org/doc/html/rfc8446#section-4.4.2.2
https://datatracker.ietf.org/doc/html/rfc8446#section-4.4.2.3
X509KeyManagerImpl on the other hand includes the algorithms sent by the peer in "signature_algorithms_cert" extension (or in "signature_algorithms" extension when "signature_algorithms_cert" extension isn't present) in the algorithm constraints being checked.
https://datatracker.ietf.org/doc/html/rfc8446#section-4.4.2.2
https://datatracker.ietf.org/doc/html/rfc8446#section-4.4.2.3
X509KeyManagerImpl on the other hand includes the algorithms sent by the peer in "signature_algorithms_cert" extension (or in "signature_algorithms" extension when "signature_algorithms_cert" extension isn't present) in the algorithm constraints being checked.
- relates to
-
JDK-8349583 Add mechanism to disable signature schemes based on their TLS scope
-
- Resolved
-
-
-
- In Progress
-