RFR: 8273236: keytool does not accurately warn about algorithms that are disabled but have additional constraints [v2]
Sean Mullan
mullan at openjdk.java.net
Mon Jan 24 16:15:17 UTC 2022
On Fri, 21 Jan 2022 03:34:24 GMT, Hai-May Chao <hchao at openjdk.org> wrote:
>> `keytool` currently uses a simpler scheme in `DisabledAlgorithmConstraints` class when performing algorithm constraints checks. This change is to enhance `keytool` to make use of the new methods `DisabledAlgorithmConstraints.permits` with `CertPathConstraintsParameters` and `checkKey` parameters. For the keyusage in the EE certificate of a certificate chains, set the variant accordingly when calling `CertPathConstraintsParameters` constructor.
>
> Hai-May Chao has updated the pull request incrementally with one additional commit since the last revision:
>
> Update with review comments
src/java.base/share/classes/sun/security/tools/keytool/Main.java line 4908:
> 4906: if (eMessage.contains("denyAfter constraint check failed") &&
> 4907: e.getReason() == BasicReason.ALGORITHM_CONSTRAINED) {
> 4908: String separator = "java.security: ";
Did you consider extracting the date from the security property? Ex: `Security.getProperty("jdk.certpath.disabledAlgorithms")`? I think that would be a better solution instead of parsing the exception message, which might change in the future.
-------------
PR: https://git.openjdk.java.net/jdk/pull/7039
More information about the security-dev
mailing list