RFR 8154005: Add algorithm constraint that specifies the restriction date

Ivan Gerasimov ivan.gerasimov at oracle.com
Thu May 12 23:13:02 UTC 2016


Hi Anthony!


A few minor comments:

*AlgorithmChecker.java*

It would be more consistent to use {@code ...} tags in place of 
<code>...</code>


*DisabledAlgorithmConstraints.java*

275 Matcher dmatch = denyAfterPattern.matcher(entry);

296 } else if (dmatch.matches()) {


It might be a bit more efficient to reuse already declared `Matcher 
matcher` like this:

     } else if (matcher.usePattern(denyAfterPattern).matches()) {



With kind regards,
Ivan


On 13.05.2016 0:34, Anthony Scarpino wrote:
> I've updated the webrev to at:
>   http://cr.openjdk.java.net/~ascarpino/8154005/webrev.01/
>
> Comments addressed below...
>
> On 05/11/2016 04:55 PM, ecki at zusammenkunft.net wrote:
>> Hello,
>>
>> In AlgorithmChecker the Javadoc seems to not follow "@param name
>> desc" format (in two places). Also it should most likely describe
>> something like "time the signature claimed to be made to check time
>> range limited ciphers after that date or similiar)
>>
>> * @param PKIXParameter timestamp (or null)
>
> Thanks for seeing that.. I updated them.
>
>>
>> DisabledAlgorithmConstrained: The regular expression allows
>> denyafter20160101 its clear, but \s+ might be clearer? Can optional
>> iso  Idate seperators,  be added. "(\d {4})-?(\d {2})-?...."
>
> I think I prefer to require '-' as standard syntax and not use 
> YYYYMMDD.  Sometimes YYYYMMDD not as clear to read as YYYY-MM-DD. I 
> would like to not have two valid formats.
>
>>
>> The lowercase constraint classes are rather strange, but fits into
>> existing code...
>>
>> I dont see in the patch how the date param is certified. Is this only
>> the issued date as certified (by the weak) signature or does it look
>> at timestamps (especially codesigning) too?
>
> The date is passed as part of PKIX, it's optional that PKIX can have a 
> date parameter set to specify a time date.
> The date disallows a certificate with the disabled algorithm on that 
> date.  It does not check validity of the certificate.  This is meant 
> to shutoff the algorithm in certificate checking.  There maybe a 
> exception to this to allowing codesigning certificates a bit longer, 
> but that hasn't been completely decided yet.
>
>>
>> There are a few conditions which could be unit tested:
>>
>> RSA keySize <= 1024 & disablesAfter 20160101 SHA1 disabledAfter
>> 20160102 // valid RSA disabledAfter 20160101 & disabledAfter 20160101
>> // not valid Etc
>
> Yes.  There are a number of tests that are in the closed test repo 
> because they use certificates that are not for public use.
>
> thanks
>
> Tony
>
>>
>> Gruss
> >
>> Bernd
>>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20160513/93b0e6e0/attachment.htm>


More information about the security-dev mailing list