On Tue, 29 Jul 2025 18:20:54 GMT, Artur Barashev <abaras...@openjdk.org> wrote:
>> test/jdk/sun/security/ssl/X509KeyManager/PeerConstraintsCheck.java line 74: >> >>> 72: * This class tests against the peer supported certificate signatures >>> sent in >>> 73: * "signature_algorithms_cert" extension. >>> 74: */ >> >> Can you add a sentence or two about why the test should fail when the >> SunX509 KM is used and the certCheck property is enabled or the PKIX KM is >> used? I think it is because the server's cert is signed with SHA256withECDSA >> and the "signature_algorithms_cert" extension is set to SHA384withECDSA, so >> it must be signed with SHA384withECDSA, is that right? > > Yes, correct: `jdk.tls.client.SignatureSchemes` and > `jdk.tls.server.SignatureSchemes` system properties set signature schemes for > both "signature_algorithms" and "signature_algorithms_cert" extensions. Then > we fail because server's certificate is signed with `SHA256withECDSA`. I'll > update the comment to highlight that detail. BTW, by using the above system properties we also bypass this check in the process: https://github.com/openjdk/jdk/blob/ea754316fd6d691a701dfb4bc921ea8c92dc5dd4/src/java.base/share/classes/sun/security/ssl/CertificateMessage.java#L1011 ------------- PR Review Comment: https://git.openjdk.org/jdk/pull/25016#discussion_r2240642639
