Support configuring signature_algorithms_cert extension which differ from signature_algorithms extension

[kexua]

Hi,

we are currently using the BCJSSE provider via the JSSE API for establishing mTls connections and have the need to specify signature algorithms for signature_algorithms_cert which differ from those in signature_algorithms. Currently (Version 1.78.1) signature_algorithms_cert is always set to same list as signature_algorithms.

Would it be possible for you to support a BC specific configuration like org.bouncycastle.jsse.client/sever.SignatureSchemesCert"? (This was shortly mentioned here https://github.com/bcgit/bc-java/issues/1456 ) I just checked if a JSSE property for signature_algorithms_cert is available now but couldn't find one.

Thanks.

[peterdettman]

Yeah, in principle we can add those. I'll just need to find some time.

[peterdettman]

There's a new 1.79 SNAPSHOT available here: https://downloads.bouncycastle.org/betas/ .

It supports two new system properties:

• org.bouncycastle.jsse.client.SignatureSchemesCert
• org.bouncycastle.jsse.server.SignatureSchemesCert

BCSSLParameters also has support for [get/set]SignatureSchemesCert methods.

[kexua]

Hi, thanks a lot! I just tested the new version using the system properties and it works. Shall I close the ticket or should it stay open until snapshot is released?

[peterdettman]

We'll leave it open for now in case people find any problems.