When the deafult SunX509KeyManagerImpl is being used we are in violation of TLSv1.3 RFC spec because we ignore peer supported certificate signatures sent to us in "signature_algorithms"/"signature_algorithms_cert" extensions: https://datatracker.ietf.org/doc/html/rfc8446#section-4.4.2.2 https://datatracker.ietf.org/doc/html/rfc8446#section-4.4.2.3
X509KeyManagerImpl on the other hand includes the algorithms sent by the peer in "signature_algorithms_cert" extension (or in "signature_algorithms" extension when "signature_algorithms_cert" extension isn't present) in the algorithm constraints being checked. ------------- Commit messages: - Add unit test - Code refactoring - Fix open unit tests - Adding a system property to skip the constraints checking. Remove SunX509c. - Fix constraints check - Revert SSLHandshake.java. Set SunX509c as default. Update copyright. - 8353113: Peer supported certificate signature algorithms are not being checked with default SunX509 key manager - Address review comments - Skip explicit KeyPair initialization and let the provider default set it - Rework unit tests - ... and 3 more: https://git.openjdk.org/jdk/compare/cd8adf13...75528109 Changes: https://git.openjdk.org/jdk/pull/25016/files Webrev: https://webrevs.openjdk.org/?repo=jdk&pr=25016&range=00 Issue: https://bugs.openjdk.org/browse/JDK-8353113 Stats: 1168 lines in 15 files changed: 769 ins; 333 del; 66 mod Patch: https://git.openjdk.org/jdk/pull/25016.diff Fetch: git fetch https://git.openjdk.org/jdk.git pull/25016/head:pull/25016 PR: https://git.openjdk.org/jdk/pull/25016
