RFR: 8243585: AlgorithmChecker::check throws confusing exception when it rejects the signer key [v5]
Sean Mullan
mullan at openjdk.java.net
Thu Oct 21 14:40:37 UTC 2021
> This fix improves the exception message to better indicate when the key (and not the signature algorithm) is restricted. This change also includes a few other improvements:
>
> - The constraints checking in `AlgorithmChecker.check()` has been improved. If the `AlgorithmConstraints` are an instance of `DisabledAlgorithmConstraints`, the internal `permits` methods are always called; otherwise the public `permits` methods are called. This makes the code easier to understand, and fixes at least one case where duplicate checks were being done.
>
> - The above change caused some of the exception messages to be slightly different, so some tests that checked the error messages had to be updated to reflect that.
>
> - AlgorithmDecomposer now stores the decomposed SHA algorithm names in a Map, which fixed a bug where "RSASSA-PSS" was not being restricted properly.
Sean Mullan has updated the pull request incrementally with one additional commit since the last revision:
Add setTrustAnchorAndKeys method and change ctor and trySetTrustAnchor to call it.
-------------
Changes:
- all: https://git.openjdk.java.net/jdk/pull/5928/files
- new: https://git.openjdk.java.net/jdk/pull/5928/files/052c28f5..d163b5b1
Webrevs:
- full: https://webrevs.openjdk.java.net/?repo=jdk&pr=5928&range=04
- incr: https://webrevs.openjdk.java.net/?repo=jdk&pr=5928&range=03-04
Stats: 32 lines in 1 file changed: 14 ins; 15 del; 3 mod
Patch: https://git.openjdk.java.net/jdk/pull/5928.diff
Fetch: git fetch https://git.openjdk.java.net/jdk pull/5928/head:pull/5928
PR: https://git.openjdk.java.net/jdk/pull/5928
More information about the security-dev
mailing list