Integrated: 8243585: AlgorithmChecker::check throws confusing exception when it rejects the signer key

[Sean Mullan]

On Wed, 13 Oct 2021 13:42:25 GMT, Sean Mullan <mullan at openjdk.org> wrote:

> This fix improves the exception message to better indicate when the key (and not the signature algorithm) is restricted. This change also includes a few other improvements:
> 
> - The constraints checking in `AlgorithmChecker.check()` has been improved. If the `AlgorithmConstraints` are an instance of `DisabledAlgorithmConstraints`, the internal `permits` methods are always called; otherwise the public `permits` methods are called. This makes the code easier to understand, and fixes at least one case where duplicate checks were being done.
> 
> - The above change caused some of the exception messages to be slightly different, so some tests that checked the error messages had to be updated to reflect that.
> 
> - AlgorithmDecomposer now stores the decomposed SHA algorithm names in a Map, which fixed a bug where "RSASSA-PSS" was not being restricted properly.

This pull request has now been integrated.

Changeset: 49f9d803
Author:    Sean Mullan <mullan at openjdk.org>
URL:       https://git.openjdk.java.net/jdk/commit/49f9d8031e9c678e20dcfc1ba06758b511a26b07
Stats:     327 lines in 8 files changed: 103 ins; 122 del; 102 mod

8243585: AlgorithmChecker::check throws confusing exception when it rejects the signer key

Reviewed-by: ascarpino

-------------

PR: https://git.openjdk.java.net/jdk/pull/5928