On Thu, 11 Sep 2025 18:36:32 GMT, Sean Mullan <[email protected]> wrote:
>> Artur Barashev has updated the pull request with a new target base due to a >> merge or a rebase. The pull request now contains eight commits: >> >> - Merge branch 'master' into Check_RSASSA-PSS_cert_params >> >> # Conflicts: >> # >> src/java.base/share/classes/sun/security/ssl/X509KeyManagerCertChecking.java >> - Add a TrustManager check >> - Fix key algorithm bug. Add more test cases >> - Use null instead of SIGNATURE_CONSTRAINTS_MODE.NONE >> - Use default constraints if SIGNATURE_CONSTRAINTS_MODE is NONE. Log >> warning and return true on InvalidParameterSpecException >> - Address review comments >> - More test cases >> - 8367104: Check for RSASSA-PSS parameters when validating certificates >> against algorithm constraints > > src/java.base/share/classes/sun/security/ssl/X509TrustManagerImpl.java line > 463: > >> 461: // Additional certificate chain check to verify the signature >> 462: // algorithms with the corresponding signing keys. >> 463: private void constraintsCertChainCheck( > > Can you add a few more comments explaining why this method is important for > the `rsa_pss_rsae_*` schemes? Done! ------------- PR Review Comment: https://git.openjdk.org/jdk/pull/27146#discussion_r2342289179
