-
Bug
-
Resolution: Fixed
-
P2
-
25
-
b22
-
Verified
| Issue | Fix Version | Assignee | Priority | Status | Resolution | Resolved In Build |
|---|---|---|---|---|---|---|
| JDK-8356139 | 21.0.9-oracle | Konanki Sreenath | P2 | Resolved | Fixed | b03 |
Per TLSv1.3 RFC:
-------
If no "signature_algorithms_cert" extension is
present, then the "signature_algorithms" extension also applies to
signatures appearing in certificates.
-------
When no "signature_algorithms_cert" extension is present in ClientHello we simply copy "signature_algorithms" extension algorithms already filtered with HANDSHAKE_SCOPE to `peerRequestedCertSignSchemes`. Instead we should filter "signature_algorithms" extension algorithms with CERTIFICATE_SCOPE as certain algorithms are allowed to be used in certificate signatures but not in handshake signatures.
-------
If no "signature_algorithms_cert" extension is
present, then the "signature_algorithms" extension also applies to
signatures appearing in certificates.
-------
When no "signature_algorithms_cert" extension is present in ClientHello we simply copy "signature_algorithms" extension algorithms already filtered with HANDSHAKE_SCOPE to `peerRequestedCertSignSchemes`. Instead we should filter "signature_algorithms" extension algorithms with CERTIFICATE_SCOPE as certain algorithms are allowed to be used in certificate signatures but not in handshake signatures.
- backported by
-
JDK-8356139 When no "signature_algorithms_cert" extension is present we do not apply certificate scope constraints to algorithms in "signature_algorithms" extension
-
- Resolved
-
- caused by
-
JDK-8349583 Add mechanism to disable signature schemes based on their TLS scope
-
- Resolved
-
- links to
-
Commit(master)
openjdk/jdk/34807df7
-
Review(master)
openjdk/jdk/24939