RFR: 8273236: keytool does not accurately warn about algorithms that are disabled but have additional constraints [v2]

[Sean Mullan]

On Mon, 24 Jan 2022 21:17:42 GMT, Hai-May Chao <hchao at openjdk.org> wrote:

>> src/java.base/share/classes/sun/security/tools/keytool/Main.java line 4908:
>> 
>>> 4906:                 if (eMessage.contains("denyAfter constraint check failed") &&
>>> 4907:                         e.getReason() == BasicReason.ALGORITHM_CONSTRAINED) {
>>> 4908:                     String separator = "java.security: ";
>> 
>> Did you consider extracting the date from the security property? Ex: `Security.getProperty("jdk.certpath.disabledAlgorithms")`? I think that would be a better solution instead of parsing the exception message, which might change in the future.
>
> Fixed.

After further thought, I'm now not sure my suggestion is any better (sorry for the rework). It is possible that there could be more than one `denyAfter` constraint, and in that case, you would need to also match on the algorithm that the constraint applies to, and that gets pretty complicated.

So, I now think your previous fix is probably better, even though it means we are depending on the syntax of the exception message. To avoid that from causing issues in the future, I would enhance your regression test to fail if the exception message changes in the future such that the denyAfter date cannot be parsed and is not what is expected.

-------------

PR: https://git.openjdk.java.net/jdk/pull/7039