-
CSR
-
Resolution: Unresolved
-
P4
-
None
-
None
-
behavioral
-
minimal
-
System or security property
-
JDK
Summary
Block signature scheme names to be used with CertificateSignature algorithm constraints usage
Problem
Users can be confused when trying to block RSASSA-PSS
certificate signature by specifying one of the rsa_pss_* signature schemes with CertificateSignature
algorithm usage constraint. RSASSA-PSS
certificate signature algorithm corresponds to multiple signature scheme names and blocking one of those signature scheme with CertificateSignature
usage directive won't block RSASSA-PSS
certificate signature because other rsa_pss_*
signature schemes still will be allowed.
Solution
Block signature scheme names to be used with CertificateSignature algorithm constraints usage and update documentation in java.security
config file.
Specification
--- a/src/java.base/share/conf/security/java.security
+++ b/src/java.base/share/conf/security/java.security
@@ -755,7 +755,12 @@ http.auth.digest.disabledAlgorithms = MD5, SHA-1
# other usage types defined in the jdk.certpath.disabledAlgorithms
# property. The usage type follows the keyword and more than one usage type
# can be specified with a whitespace delimiter.
-# Example: "rsa_pkcs1_sha1 usage HandshakeSignature"
+# Note that TLS signature scheme names can't be used as algorithms with
+# CertificateSignature usage type, only certificate's signature algorithm
+# or certificate's key algorithm are supported for this usage type.
+# Examples:
+# - rsa_pkcs1_sha1 usage HandshakeSignature
+# - SHA1withRSA usage CertificateSignature
#
- csr of
-
JDK-8366211 Block signature scheme names to be used with CertificateSignature algorithm constraints usage
-
- In Progress
-