On Tue, 29 Jul 2025 18:05:01 GMT, Sean Mullan <mul...@openjdk.org> wrote:
>> Artur Barashev has updated the pull request incrementally with one >> additional commit since the last revision: >> >> Address review comments > > test/jdk/sun/security/ssl/X509KeyManager/PeerConstraintsCheck.java line 74: > >> 72: * This class tests against the peer supported certificate signatures >> sent in >> 73: * "signature_algorithms_cert" extension. >> 74: */ > > Can you add a sentence or two about why the test should fail when the SunX509 > KM is used and the certCheck property is enabled or the PKIX KM is used? I > think it is because the server's cert is signed with SHA256withECDSA and the > "signature_algorithms_cert" extension is set to SHA384withECDSA, so it must > be signed with SHA384withECDSA, is that right? Yes, correct: `jdk.tls.client.SignatureSchemes` and `jdk.tls.server.SignatureSchemes` system properties set signature schemes for both "signature_algorithms" and "signature_algorithms_cert" extensions. Then we fail because server's certificate is signed with `SHA256withECDSA`. I'll update the comment to highlight that detail. ------------- PR Review Comment: https://git.openjdk.org/jdk/pull/25016#discussion_r2240621241
