Bug ID: JDK-8353113 Peer supported certificate signature algorithms are not being checked with default SunX509 key manager

JDK-8353113 : Peer supported certificate signature algorithms are not being checked with default SunX509 key manager

Type: Bug
Component: security-libs
Sub-Component: javax.net.ssl
Affected Version: 24

Priority: P4
Status: Closed
Resolution: Duplicate

Submitted: 2025-03-27
Updated: 2025-06-18
Resolved: 2025-06-18

Versions (Unresolved/Resolved/Fixed)

The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.

JDK 26
26Resolved

Related Reports

Duplicate :	JDK-8359956 - Support algorithm constraints and certificate checks in SunX509 key manager
Relates :	JDK-8272875 - Change the default key manager to PKIX
Relates :	JDK-8170706 - Support algorithm constraints in SunX509 key manager
Relates :	JDK-8349583 - Add mechanism to disable signature schemes based on their TLS scope

Description

When the deafult SunX509KeyManagerImpl is being used we are in violation of TLSv1.3 RFC spec because we ignore peer supported certificate signatures sent to us in "signature_algorithms"/"signature_algorithms_cert" extensions:
https://datatracker.ietf.org/doc/html/rfc8446#section-4.4.2.2
https://datatracker.ietf.org/doc/html/rfc8446#section-4.4.2.3

X509KeyManagerImpl on the other hand includes the algorithms sent by the peer in "signature_algorithms_cert" extension (or in "signature_algorithms" extension when "signature_algorithms_cert" extension isn't present) in the algorithm constraints being checked.