> When the deafult SunX509KeyManagerImpl is being used we are in violation of 
> TLSv1.3 RFC spec because we ignore peer supported certificate signatures sent 
> to us in "signature_algorithms"/"signature_algorithms_cert" extensions:
> https://datatracker.ietf.org/doc/html/rfc8446#section-4.4.2.2
> https://datatracker.ietf.org/doc/html/rfc8446#section-4.4.2.3
> 
> X509KeyManagerImpl on the other hand includes the algorithms sent by the peer 
> in "signature_algorithms_cert" extension (or in "signature_algorithms" 
> extension when "signature_algorithms_cert" extension isn't present) in the 
> algorithm constraints being checked.

Artur Barashev has updated the pull request incrementally with one additional 
commit since the last revision:

  Make the test run on TLSv1.3

-------------

Changes:
  - all: https://git.openjdk.org/jdk/pull/25016/files
  - new: https://git.openjdk.org/jdk/pull/25016/files/5c137c14..451e1efd

Webrevs:
 - full: https://webrevs.openjdk.org/?repo=jdk&pr=25016&range=03
 - incr: https://webrevs.openjdk.org/?repo=jdk&pr=25016&range=02-03

  Stats: 25 lines in 2 files changed: 5 ins; 7 del; 13 mod
  Patch: https://git.openjdk.org/jdk/pull/25016.diff
  Fetch: git fetch https://git.openjdk.org/jdk.git pull/25016/head:pull/25016

PR: https://git.openjdk.org/jdk/pull/25016

Reply via email to