RFR: 8273236: keytool does not accurately warn about algorithms that are disabled but have additional constraints [v4]
Hai-May Chao
hchao at openjdk.java.net
Tue Jan 25 20:51:21 UTC 2022
On Tue, 25 Jan 2022 14:38:32 GMT, Sean Mullan <mullan at openjdk.org> wrote:
>> Hai-May Chao has updated the pull request incrementally with one additional commit since the last revision:
>>
>> Update to get denyAfter and init caks
>
> src/java.base/share/classes/sun/security/tools/keytool/Main.java line 1138:
>
>> 1136:
>> 1137: if (trustcacerts) {
>> 1138: caks = cakstore;
>
> I just realized there is a slight change in behavior in that `buildTrustedCerts` ignores exceptions, whereas `KeyStoreUtil.getCacertsKeyStore()` does not. An exception should be a very rare case, but I recommend changing line 1138 to:
>
>
> if (cakstore != null) {
> caks = cakstore;
> } else {
> // try to load cacerts again, and let exception propagate if it cannot be loaded
> caks = KeyStoreUtil.getCacertsKeyStore();
> }
Added the exception as recommended.
-------------
PR: https://git.openjdk.java.net/jdk/pull/7039
More information about the security-dev
mailing list