RFR: 8273236: keytool does not accurately warn about algorithms that are disabled but have additional constraints [v5]
Hai-May Chao
hchao at openjdk.java.net
Wed Jan 26 05:50:08 UTC 2022
On Tue, 25 Jan 2022 22:40:36 GMT, Sean Mullan <mullan at openjdk.org> wrote:
>> Hai-May Chao has updated the pull request incrementally with one additional commit since the last revision:
>>
>> Revert to get denyAfter from exception and reload caks
>
> src/java.base/share/classes/sun/security/util/DisabledAlgorithmConstraints.java line 759:
>
>> 757: "denyAfter constraint check failed: " + algorithm +
>> 758: " used with Constraint date: " +
>> 759: denyAfterDate + " (in java.security: " + denyAfterString +
>
> An application could override what was in the `java.security` file by setting the property directly, so saying `java.security` is not totally precise. However, it seems you don't actually need to add this extra info to the exception messsage. Could we just use the `denyAfterDate` (after "used with Constraint date: ") and reformat it into YYYY-MM-DD format if necessary?
Done. Removed the extra info (YYYY-MM-DD form) from the exception message that was set in `DisabledAlgorithmConstraints` class, and re-formated the `denyAfterDate` into YYYY-MM-DD format in keytool.
-------------
PR: https://git.openjdk.java.net/jdk/pull/7039
More information about the security-dev
mailing list