RFR: 8273236: keytool does not accurately warn about algorithms that are disabled but have additional constraints [v7]

Hai-May Chao hchao at openjdk.java.net
Wed Jan 26 05:50:05 UTC 2022


> `keytool` currently uses a simpler scheme in `DisabledAlgorithmConstraints` class when performing algorithm constraints checks. This change is to enhance `keytool` to make use of the new methods `DisabledAlgorithmConstraints.permits` with `CertPathConstraintsParameters` and `checkKey` parameters. For the keyusage in the EE certificate of a certificate chains, set the variant accordingly when calling `CertPathConstraintsParameters` constructor.

Hai-May Chao has updated the pull request incrementally with one additional commit since the last revision:

  Reformat denyAfter date in exception message to YYYY-MM-DD

-------------

Changes:
  - all: https://git.openjdk.java.net/jdk/pull/7039/files
  - new: https://git.openjdk.java.net/jdk/pull/7039/files/53799e06..34f7efd8

Webrevs:
 - full: https://webrevs.openjdk.java.net/?repo=jdk&pr=7039&range=06
 - incr: https://webrevs.openjdk.java.net/?repo=jdk&pr=7039&range=05-06

  Stats: 25 lines in 3 files changed: 13 ins; 0 del; 12 mod
  Patch: https://git.openjdk.java.net/jdk/pull/7039.diff
  Fetch: git fetch https://git.openjdk.java.net/jdk pull/7039/head:pull/7039

PR: https://git.openjdk.java.net/jdk/pull/7039



More information about the security-dev mailing list