RFR 8154005: Add algorithm constraint that specifies the restriction date
Anthony Scarpino
anthony.scarpino at oracle.com
Thu May 12 21:34:49 UTC 2016
I've updated the webrev to at:
http://cr.openjdk.java.net/~ascarpino/8154005/webrev.01/
Comments addressed below...
On 05/11/2016 04:55 PM, ecki at zusammenkunft.net wrote:
> Hello,
>
> In AlgorithmChecker the Javadoc seems to not follow "@param name
> desc" format (in two places). Also it should most likely describe
> something like "time the signature claimed to be made to check time
> range limited ciphers after that date or similiar)
>
> * @param PKIXParameter timestamp (or null)
Thanks for seeing that.. I updated them.
>
> DisabledAlgorithmConstrained: The regular expression allows
> denyafter20160101 its clear, but \s+ might be clearer? Can optional
> iso Idate seperators, be added. "(\d {4})-?(\d {2})-?...."
I think I prefer to require '-' as standard syntax and not use YYYYMMDD.
Sometimes YYYYMMDD not as clear to read as YYYY-MM-DD. I would like to
not have two valid formats.
>
> The lowercase constraint classes are rather strange, but fits into
> existing code...
>
> I dont see in the patch how the date param is certified. Is this only
> the issued date as certified (by the weak) signature or does it look
> at timestamps (especially codesigning) too?
The date is passed as part of PKIX, it's optional that PKIX can have a
date parameter set to specify a time date.
The date disallows a certificate with the disabled algorithm on that
date. It does not check validity of the certificate. This is meant to
shutoff the algorithm in certificate checking. There maybe a exception
to this to allowing codesigning certificates a bit longer, but that
hasn't been completely decided yet.
>
> There are a few conditions which could be unit tested:
>
> RSA keySize <= 1024 & disablesAfter 20160101 SHA1 disabledAfter
> 20160102 // valid RSA disabledAfter 20160101 & disabledAfter 20160101
> // not valid Etc
Yes. There are a number of tests that are in the closed test repo
because they use certificates that are not for public use.
thanks
Tony
>
> Gruss
>
> Bernd
>
More information about the security-dev
mailing list