RFR 8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions

Sean Mullan sean.mullan at oracle.com
Mon Mar 21 19:44:39 UTC 2016 

Looking good, mostly minor stuff:

AlgorithmChecker
----------------

151             if (trustedMatch && debug != null) 
debug.println("trustedMatch = true");

put braces around.

java.security
-------------

553 #     lib/security/cacerts.fingerprints file which is initially 
seeded with the

lib/security/cacerts.properties file with a "restricted=yes" attribute 
which is ...

562 # chain that terminate at a distribution provided trust anchor and 
contain

s/terminate/terminates/
s/contain/contains/

CaCertsHasher
-------------

   40  *   Fingerprint

I recommend specifying a format for the attributes, and then defining a 
specific attribute that tags a cert as being restricted. This will make 
the properties file more generally useful if we want to add more 
attributes later. Ex:

Fingerprint [attribute]{;attribute}

   69         if (inFilename == null) {
   70             System.err.println("Input file not defined.");
   71         }
   72         if (outFilename == null) {
   73             System.err.println("Output file not defined.");
   74         }

You should not continue on error in these cases. I think you should just 
change these to:

   69         if (inFilename == null) {
   70             throw new Exception("Input file not defined.");
   71         }
   72         if (outFilename == null) {
   73             throw new Exception("Output file not defined.");
   74         }


   81         PrintStream out = new PrintStream(outFilename);

should use try-with-resources to avoid having to close the file.

   88             if (verbose) {
   89                 System.out.println("No certificates in " + 
inFilename +
   90                         ".  Hash file not created");
   91             }

But you already created the file on line 81.

  103                 prop.store(out, c.getIssuerX500Principal().getName());

Maybe you should use the keystore alias here instead. DNs can be very long.

AnchorCertificates
------------------

   40  * anchor certificate is in the cacerts.fingerprints file which is
   43  * file but not the cacerts.fingerprints file would not be a match.

s/cacerts.fingerprints/cacerts.properties/

--Sean

On 03/18/2016 01:09 PM, Anthony Scarpino wrote:
> I believe I got everyone's comments. I've updated the webrev.
>
> http://cr.openjdk.java.net/~ascarpino/8140422/webrev.02/
>
> Thanks
>
> Tony
>
>
> On 02/29/2016 08:55 AM, Anthony Scarpino wrote:
>> Currently CertPath algorithm restrictions allow or deny all
>> certificates.  This change adds the ability to reject certificate chains
>> that contain a restricted algorithm and the chain terminates at a root
>> CA; therefore, allowing a self-signed or chain that does not terminate
>> at a root CA.
>>
>> https://bugs.openjdk.java.net/browse/JDK-8140422
>>
>> Thanks
>>
>> Tony
>>
>

More information about the security-dev mailing list