jiafu1115 commented on code in PR #20967:
URL: https://github.com/apache/kafka/pull/20967#discussion_r2558604341
##########
clients/src/test/java/org/apache/kafka/common/network/SslTransportLayerTest.java:
##########
@@ -1345,6 +1349,39 @@ private static CertStores.Builder certBuilder(boolean
isServer, String cn, boole
.usePem(useInlinePem);
}
+ /**
+ * Check if DSA algorithm is supported by the JVM and if there are
compatible cipher suites
+ * available for TLSv1.2. This is important because even if DSA
KeyPairGenerator is available,
+ * the SSL handshake may fail if no DSA-compatible cipher suites are
available.
+ * @return true if DSA KeyPairGenerator is available and DSA-compatible
cipher suites exist, false otherwise
+ */
+ private static boolean isDsaSupported() {
+ // First check if DSA KeyPairGenerator is available
+ try {
+ java.security.KeyPairGenerator.getInstance("DSA");
+ } catch (java.security.NoSuchAlgorithmException e) {
+ return false;
+ }
+
+ // Check if there are DSA-compatible cipher suites available for
TLSv1.2
+ // DSA algorithms are not supported for TLSv1.3, so we only check
TLSv1.2
+ try {
+ SSLContext context = SSLContext.getInstance("TLSv1.2");
+ context.init(null, null, null);
+ SSLParameters params = context.getDefaultSSLParameters();
+ String[] cipherSuites = params.getCipherSuites();
+
+ // Check if any cipher suite supports DSA
+ // In TLS standards and JVM implementations, DSA signature cipher
suites use "_DSS_" naming
+ // Common patterns: TLS_DHE_DSS_*, TLS_DH_DSS_*, SSL_DHE_DSS_*,
SSL_DH_DSS_*
+ return Arrays.stream(cipherSuites)
+ .anyMatch(suite -> suite.contains("_DSS_"));
+ } catch (Exception e) {
Review Comment:
agree
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
