On Thu, 28 Aug 2025 13:50:49 GMT, Mikhail Yankelevich <myankelev...@openjdk.org> wrote:
>> To avoid any user confusion, we should block signature scheme names to be >> used with `CertificateSignature` algorithm constraints usage. For example, >> `RSASSA-PSS` certificate signature algorithm corresponds to multiple >> signature scheme names and blocking one of those signature scheme with >> `CertificateSignature` usage directive won't block `RSASSA-PSS` certificate >> signature because other rsa_pss_* signature schemes still will be allowed. >> We should direct users to use certificate signature algorithm with >> `CertificateSignature` usage directive. For example: >> >> - To be blocked: "rsa_pss_pss_sha256 usage CertificateSignature" >> - To be allowed: `RSASSA-PSS usage CertificateSignature` or `RSA usage >> CertificateSignature` > > test/jdk/sun/security/ssl/SignatureScheme/BlockSignatureSchemesForCert.java > line 46: > >> 44: "rsa_pss_pss_sha256 usage CertificateSignature"); >> 45: >> 46: runAndCheckException( > > Minor: could you please make it `Utils.runAndCheckException` if there are > going to be changes? Not worth another commit on it's own, but would improve > the readability imo I think it's a matter of personal preference, I usually use just `runAndCheckException` in tests. In the production code I prepend the class name to static methods. I wonder if there are any coding style recommendations about it? ------------- PR Review Comment: https://git.openjdk.org/jdk/pull/26970#discussion_r2307627056
