On Fri, 23 May 2025 11:15:38 GMT, Daniel Jeliński <djelin...@openjdk.org> wrote:
>> Artur Barashev has updated the pull request incrementally with one >> additional commit since the last revision: >> >> Adding a unit test check for certificates > > test/jdk/sun/security/ssl/SSLSessionImpl/ResumeChecksServer.java line 227: > >> 225: // algorithm to constraints so local >> certificates >> 226: // can't be restored from the session ticket. >> 227: params.setAlgorithmConstraints( > > Isn't this a repeat of the SIGNATURE_SCHEME test above? Hi Daniel! 1. You can see that I've modified `ResumeChecksServer` SIGNATURE_SCHEME case to block signature scheme names specifically, not algorithm names like before. This test case was created for [this check](https://github.com/openjdk/jdk/blob/48df41b6997cfe2c8aa3bc46ea25eff01f615d31/src/java.base/share/classes/sun/security/ssl/PreSharedKeyExtension.java#L468) which was done as part of [JDK-8206929](https://bugs.openjdk.org/browse/JDK-8206929) and that's the reason I've kept `localSupportedSignAlgs` in the session ticket. 2. About LOCAL_CERTS case I've added: it blocks initial session's certificate signature algorithm specifically so it's not returned with the new possession when we restore the session. You can comment out all the other cases from ResumeChecksServerStateless.java and run just LOCAL_CERTS case with `-Djavax.net.debug=ssl` option and observe `Local certificates can not be restored` message in the logs. I also ran this test under debugger to confirm things. ------------- PR Review Comment: https://git.openjdk.org/jdk/pull/25310#discussion_r2104889778
