JDK-8365820 : Apply certificate scope constraints to algorithms in "signature_algorithms" extension when "signature_algorithms_cert" extension is not being sent
  • Type: Bug
  • Component: security-libs
  • Sub-Component: javax.net.ssl
  • Affected Version: 25
  • Priority: P4
  • Status: Resolved
  • Resolution: Fixed
  • Submitted: 2025-08-19
  • Updated: 2025-09-25
  • Resolved: 2025-09-25
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 26
26 masterFixed
Related Reports
Causes :  
JDK-8349583 - Add mechanism to disable signature schemes based on their TLS scope
Relates :  
JDK-8355779 - When no "signature_algorithms_cert" extension is present we do not apply certificate scope constraints to algorithms in "signature_algorithms" extension
Relates :  
JDK-8365955 - Do not send signature_algorithms_cert extension if not required
Relates :  
JDK-8217633 - Configurable extensions with system properties
Description
JDK-8349583 implementation assumes that OpenJDK client always sends "signature_algorithms_cert" extension together with "signature_algorithms" extension. But we didn't account for `jdk.tls.client.disableExtensions` and `jdk.tls.server.disableExtensions` system properties which can disable producing "signature_algorithms_cert" extension. This is an issue similar to JDK-8355779 but on the extension producing side.

Per TLSv1.3 RFC:
   -------
   If no "signature_algorithms_cert" extension is
   present, then the "signature_algorithms" extension also applies to
   signatures appearing in certificates.
   -------
Comments
Changeset: 569e7808 Branch: master Author: Artur Barashev <abarashev@openjdk.org> Date: 2025-09-25 14:44:06 +0000 URL: https://git.openjdk.org/jdk/commit/569e78080b3c25c95d85e9e194626f95f86b9b10
25-09-2025
A pull request was submitted for review. Branch: master URL: https://git.openjdk.org/jdk/pull/26887 Date: 2025-08-21 16:02:05 +0000
21-08-2025