Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8355779

When no "signature_algorithms_cert" extension is present we do not apply certificate scope constraints to algorithms in "signature_algorithms" extension

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: P2 P2
    • 25
    • 25
    • security-libs

        Per TLSv1.3 RFC:
           -------
           If no "signature_algorithms_cert" extension is
           present, then the "signature_algorithms" extension also applies to
           signatures appearing in certificates.
           -------

        When no "signature_algorithms_cert" extension is present in ClientHello we simply copy "signature_algorithms" extension algorithms already filtered with HANDSHAKE_SCOPE to `peerRequestedCertSignSchemes`. Instead we should filter "signature_algorithms" extension algorithms with CERTIFICATE_SCOPE as certain algorithms are allowed to be used in certificate signatures but not in handshake signatures.

              abarashev Artur Barashev
              abarashev Artur Barashev
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: