RFR 8154005: Add algorithm constraint that specifies the restriction date
ecki at zusammenkunft.net
ecki at zusammenkunft.net
Wed May 11 23:55:29 UTC 2016
Hello,
In AlgorithmChecker the Javadoc seems to not follow "@param name desc" format (in two places). Also it should most likely describe something like "time the signature claimed to be made to check time range limited ciphers after that date or similiar)
* @param PKIXParameter timestamp (or null)
DisabledAlgorithmConstrained: The regular expression allows denyafter20160101 its clear, but \s+ might be clearer? Can optional iso Idate seperators, be added. "(\d {4})-?(\d {2})-?...."
The lowercase constraint classes are rather strange, but fits into existing code...
I dont see in the patch how the date param is certified. Is this only the issued date as certified (by the weak) signature or does it look at timestamps (especially codesigning) too?
There are a few conditions which could be unit tested:
RSA keySize <= 1024 & disablesAfter 20160101 SHA1 disabledAfter 20160102 // valid
RSA disabledAfter 20160101 & disabledAfter 20160101 // not valid
Etc
Gruss
Bernd
--
http://bernd.eckenfels.net
-----Original Message-----
From: Anthony Scarpino <anthony.scarpino at oracle.com>
To: OpenJDK Security <security-dev at openjdk.java.net>
Sent: Do., 12 Mai 2016 1:16
Subject: RFR 8154005: Add algorithm constraint that specifies the restriction date
Please review the changes related to 8154005. This is a continuation
JEP-288. It adds a denyAfter constraint the stops PKIX algorithm
support at a specified date.
http://cr.openjdk.java.net/~ascarpino/8154005/webrev/
thanks
Tony
More information about the security-dev
mailing list