RFR: 8273236: keytool does not accurately warn about algorithms that are disabled but have additional constraints [v5]
Sean Mullan
mullan at openjdk.java.net
Tue Jan 25 22:44:37 UTC 2022
On Tue, 25 Jan 2022 20:51:17 GMT, Hai-May Chao <hchao at openjdk.org> wrote:
>> `keytool` currently uses a simpler scheme in `DisabledAlgorithmConstraints` class when performing algorithm constraints checks. This change is to enhance `keytool` to make use of the new methods `DisabledAlgorithmConstraints.permits` with `CertPathConstraintsParameters` and `checkKey` parameters. For the keyusage in the EE certificate of a certificate chains, set the variant accordingly when calling `CertPathConstraintsParameters` constructor.
>
> Hai-May Chao has updated the pull request incrementally with one additional commit since the last revision:
>
> Revert to get denyAfter from exception and reload caks
src/java.base/share/classes/sun/security/util/DisabledAlgorithmConstraints.java line 759:
> 757: "denyAfter constraint check failed: " + algorithm +
> 758: " used with Constraint date: " +
> 759: denyAfterDate + " (in java.security: " + denyAfterString +
An application could override what was in the `java.security` file by setting the property directly, so saying `java.security` is not totally precise. However, it seems you don't actually need to add this extra info to the exception messsage. Could we just use the `denyAfterDate` (after "used with Constraint date: ") and reformat it into YYYY-MM-DD format if necessary?
-------------
PR: https://git.openjdk.java.net/jdk/pull/7039
More information about the security-dev
mailing list