RFR: 8273236: keytool does not accurately warn about algorithms that are disabled but have additional constraints [v7]
Sean Mullan
mullan at openjdk.java.net
Wed Jan 26 14:33:38 UTC 2022
On Wed, 26 Jan 2022 05:50:05 GMT, Hai-May Chao <hchao at openjdk.org> wrote:
>> `keytool` currently uses a simpler scheme in `DisabledAlgorithmConstraints` class when performing algorithm constraints checks. This change is to enhance `keytool` to make use of the new methods `DisabledAlgorithmConstraints.permits` with `CertPathConstraintsParameters` and `checkKey` parameters. For the keyusage in the EE certificate of a certificate chains, set the variant accordingly when calling `CertPathConstraintsParameters` constructor.
>
> Hai-May Chao has updated the pull request incrementally with one additional commit since the last revision:
>
> Reformat denyAfter date in exception message to YYYY-MM-DD
Marked as reviewed by mullan (Reviewer).
src/java.base/share/classes/sun/security/tools/keytool/Main.java line 4920:
> 4918: String endSeparator = "; params date";
> 4919: int endSepPos = eMessage.indexOf(endSeparator);
> 4920: String denyAfterDate = eMessage.substring(startSepPos + startSeparator.length(),
I think you should catch `IndexOutOfBoundException` here, just in case, and bail out with your new error message "Unable.to.parse.denyAfter.string.in.exception.message".
-------------
PR: https://git.openjdk.java.net/jdk/pull/7039
More information about the security-dev
mailing list