8355779: When no "signature_algorithms_cert" extension is present we do not apply certificate scope constraints to algorithms in "signature_algorithms" extension

[artur-oracle]

Per TLSv1.3 RFC:

   If no "signature_algorithms_cert" extension is
   present, then the "signature_algorithms" extension also applies to
   signatures appearing in certificates.

When no "signature_algorithms_cert" extension is present in ClientHello we simply copy "signature_algorithms" extension algorithms already filtered with HANDSHAKE_SCOPE to peerRequestedCertSignSchemes. Instead we should filter "signature_algorithms" extension algorithms with CERTIFICATE_SCOPE as certain algorithms are allowed to be used in certificate signatures but not in handshake signatures.

---

Progress

• Change must be properly reviewed (1 review required, with at least 1 Reviewer)
• Change must not contain extraneous whitespace
• Commit message must refer to an issue

Issue

• JDK-8355779: When no "signature_algorithms_cert" extension is present we do not apply certificate scope constraints to algorithms in "signature_algorithms" extension (Bug - P2)

Reviewers

• Sean Mullan (@seanjmullan - Reviewer)

Reviewing

Using git

Checkout this PR locally:
$ git fetch https://git.openjdk.org/jdk.git pull/24939/head:pull/24939
$ git checkout pull/24939

Update a local copy of the PR:
$ git checkout pull/24939
$ git pull https://git.openjdk.org/jdk.git pull/24939/head

Using Skara CLI tools

Checkout this PR locally:
$ git pr checkout 24939

View PR using the GUI difftool:
$ git pr show -t 24939

Using diff file

Download this PR as a diff file:
https://git.openjdk.org/jdk/pull/24939.diff

Using Webrev

Link to Webrev Comment

[bridgekeeper]

👋 Welcome back abarashev! A progress list of the required criteria for merging this PR into master will be added to the body of your pull request. There are additional pull request commands available for use with this pull request.

[openjdk]

@artur-oracle This change now passes all automated pre-integration checks.

ℹ️ This project also has non-automated pre-integration requirements. Please see the file CONTRIBUTING.md for details.

After integration, the commit message for the final commit will be:

8355779: When no "signature_algorithms_cert" extension is present we do not apply certificate scope constraints to algorithms in "signature_algorithms" extension

Reviewed-by: mullan

You can use pull request commands such as /summary, /contributor and /issue to adjust it as needed.

At the time when this comment was updated there had been 220 new commits pushed to the master branch:

• 6612281: 8342886: Update MET timezone in TimeZoneNames files
• fbc4691: 8351565: Implement JEP 502: Stable Values (Preview)
• 4c695fa: 8351000: StringBuilder getChar and putChar robustness
• ... and 217 more: https://git.openjdk.org/jdk/compare/cd8adf13ed6579fad9e777aa291146fa653288b0...master

As there are no conflicts, your changes will automatically be rebased on top of these commits when integrating. If you prefer to avoid this automatic rebasing, please check the documentation for the /integrate command for further details.

As you do not have Committer status in this project an existing Committer must agree to sponsor your change. Possible candidates are the reviewers of this PR (@seanjmullan) but any other Committer may sponsor as well.

➡️ To flag this PR as ready for integration with the above commit message, type /integrate in a new comment. (Afterwards, your sponsor types /sponsor in a new comment to perform the integration).

[openjdk]

@artur-oracle The following label will be automatically applied to this pull request:

• security

When this pull request is ready to be reviewed, an "RFR" email will be sent to the corresponding mailing list. If you would like to change these labels, use the /label pull request command.

[mlbridge]

Webrevs

• 01: Full - Incremental (ae1b3060)
• 00: Full (7d3b3eee)

[artur-oracle]

/integrate

[openjdk]

@artur-oracle
Your change (at version ae1b306) is now ready to be sponsored by a Committer.

[seanjmullan]

/integrate

[openjdk]

@seanjmullan Only the author (@artur-oracle) is allowed to issue the integrate command. As this pull request is ready to be sponsored, and you are an eligible sponsor, did you mean to issue the /sponsor command?

[seanjmullan]

/sponsor

[openjdk]

Going to push as commit 34807df.
Since your change was applied there have been 236 commits pushed to the master branch:

• 7b31762: 8354235: Test javax/net/ssl/SSLSocket/Tls13PacketSize.java failed with java.net.SocketException: An established connection was aborted by the software in your host machine
• 0cd0afb: 8355913: RISC-V: improve hotspot/jtreg/compiler/vectorization/runner/BasicFloatOpTest.java
• 0a697f6: 8344708: Implement JEP 511: Module Import Declarations
• ... and 233 more: https://git.openjdk.org/jdk/compare/cd8adf13ed6579fad9e777aa291146fa653288b0...master

Your commit was automatically rebased without conflicts.

[openjdk]

@seanjmullan @artur-oracle Pushed as commit 34807df.

💡 You may see a message that your pull request was closed with unmerged commits. This can be safely ignored.