Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8366211

Block signature scheme names to be used with CertificateSignature algorithm constraints usage

XMLWordPrintable

    • Icon: Enhancement Enhancement
    • Resolution: Unresolved
    • Icon: P4 P4
    • None
    • 25
    • security-libs
    • None

      To avoid any user confusion, we should block signature scheme names to be used with `CertificateSignature` algorithm constraints usage. For example, `RSASSA-PSS` certificate signature algorithm corresponds to multiple signature scheme names and blocking one of those signature scheme with `CertificateSignature` usage directive won't block `RSASSA-PSS` certificate signature because other rsa_pss_* signature schemes still will be allowed. We should direct users to use certificate signature algorithm with `CertificateSignature` usage directive. For example:

      - To be blocked: "rsa_pss_pss_sha256 usage CertificateSignature"
      - To be allowed: `RSASSA-PSS usage CertificateSignature` or `RSA usage CertificateSignature`

            abarashev Artur Barashev
            abarashev Artur Barashev
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated: