<html><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">More on this.<div class=""><br class=""></div><div class="">I've tried using keytool to generate an EC keypair with -groupname contained in "jdk.certpath.disabledAlgorithms". It can print out a warning with the following extra code change. Feel free to include it if it looks OK to you.</div><div class=""><br class=""></div><div class=""><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: "SF Mono"; background-color: rgb(255, 255, 255);" class=""><b class="">diff --git a/src/java.base/share/classes/sun/security/tools/keytool/Main.java b/src/java.base/share/classes/sun/security/tools/keytool/Main.java</b></div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: "SF Mono"; color: rgb(252, 85, 85); background-color: rgb(255, 255, 255);" class=""><b class="">--- a/src/java.base/share/classes/sun/security/tools/keytool/Main.java</b></div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: "SF Mono"; color: rgb(85, 255, 85); background-color: rgb(255, 255, 255);" class=""><b class="">+++ b/src/java.base/share/classes/sun/security/tools/keytool/Main.java</b></div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: "SF Mono"; color: rgb(187, 0, 187); background-color: rgb(255, 255, 255);" class="">@@ -4658,7 +4658,7 @@</div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: "SF Mono"; background-color: rgb(255, 255, 255);" class="">                     rb.getString("whose.key.risk"),</div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: "SF Mono"; background-color: rgb(255, 255, 255);" class="">                     label,</div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: "SF Mono"; background-color: rgb(255, 255, 255);" class="">                     String.format(rb.getString("key.bit"),</div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: "SF Mono"; color: rgb(187, 0, 4); background-color: rgb(255, 255, 255);" class="">-                            KeyUtil.getKeySize(key), key.getAlgorithm())));</div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: "SF Mono"; color: rgb(25, 187, 3); background-color: rgb(255, 255, 255);" class="">+                            KeyUtil.getKeySize(key), fullDisplayAlgName(key))));</div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: "SF Mono"; background-color: rgb(255, 255, 255);" class="">         }</div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: "SF Mono"; background-color: rgb(255, 255, 255);" class="">     }</div><p style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: "SF Mono"; background-color: rgb(255, 255, 255); min-height: 13px;" class=""> <br class="webkit-block-placeholder"></p><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: "SF Mono"; background-color: rgb(255, 255, 255);" class=""><b class="">diff --git a/src/java.base/share/classes/sun/security/util/DisabledAlgorithmConstraints.java b/src/java.base/share/classes/sun/security/util/DisabledAlgorithmConstraints.java</b></div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: "SF Mono"; color: rgb(252, 85, 85); background-color: rgb(255, 255, 255);" class=""><b class="">--- a/src/java.base/share/classes/sun/security/util/DisabledAlgorithmConstraints.java</b></div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: "SF Mono"; color: rgb(85, 255, 85); background-color: rgb(255, 255, 255);" class=""><b class="">+++ b/src/java.base/share/classes/sun/security/util/DisabledAlgorithmConstraints.java</b></div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: "SF Mono"; color: rgb(187, 0, 187); background-color: rgb(255, 255, 255);" class="">@@ -34,6 +34,7 @@</div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: "SF Mono"; background-color: rgb(255, 255, 255);" class=""> import java.security.cert.CertPathValidatorException;</div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: "SF Mono"; background-color: rgb(255, 255, 255);" class=""> import java.security.cert.CertPathValidatorException.BasicReason;</div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: "SF Mono"; background-color: rgb(255, 255, 255);" class=""> import java.security.cert.X509Certificate;</div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: "SF Mono"; color: rgb(25, 187, 3); background-color: rgb(255, 255, 255);" class="">+import java.security.interfaces.ECKey;</div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: "SF Mono"; background-color: rgb(255, 255, 255);" class=""> import java.security.spec.ECParameterSpec;</div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: "SF Mono"; background-color: rgb(255, 255, 255);" class=""> import java.text.SimpleDateFormat;</div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: "SF Mono"; background-color: rgb(255, 255, 255);" class=""> import java.util.ArrayList;</div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: "SF Mono"; color: rgb(187, 0, 187); background-color: rgb(255, 255, 255);" class="">@@ -401,6 +402,17 @@</div><p style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: "SF Mono"; background-color: rgb(255, 255, 255); min-height: 13px;" class=""> <br class="webkit-block-placeholder"></p><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: "SF Mono"; background-color: rgb(255, 255, 255);" class="">         // Check if KeySizeConstraints permit the specified key</div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: "SF Mono"; background-color: rgb(255, 255, 255);" class="">         public boolean permits(Key key) {</div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: "SF Mono"; color: rgb(25, 187, 3); background-color: rgb(255, 255, 255);" class="">+            if (key instanceof ECKey) {</div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: "SF Mono"; color: rgb(25, 187, 3); background-color: rgb(255, 255, 255);" class="">+                String groupname = CurveDB.lookup(((ECKey)key).getParams())</div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: "SF Mono"; color: rgb(25, 187, 3); background-color: rgb(255, 255, 255);" class="">+                        .getName().toUpperCase(Locale.ROOT);</div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: "SF Mono"; color: rgb(25, 187, 3); background-color: rgb(255, 255, 255);" class="">+                if (getConstraints(groupname) != null) {</div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: "SF Mono"; color: rgb(25, 187, 3); background-color: rgb(255, 255, 255);" class="">+                    if (debug != null) {</div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: "SF Mono"; color: rgb(25, 187, 3); background-color: rgb(255, 255, 255);" class="">+                        debug.println("Constraints: failed group name " +</div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: "SF Mono"; color: rgb(25, 187, 3); background-color: rgb(255, 255, 255);" class="">+                                "constraint check " + groupname);</div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: "SF Mono"; color: rgb(25, 187, 3); background-color: rgb(255, 255, 255);" class="">+                    }</div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: "SF Mono"; color: rgb(25, 187, 3); background-color: rgb(255, 255, 255);" class="">+                    return false;</div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: "SF Mono"; color: rgb(25, 187, 3); background-color: rgb(255, 255, 255);" class="">+                }</div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: "SF Mono"; color: rgb(25, 187, 3); background-color: rgb(255, 255, 255);" class="">+            }</div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: "SF Mono"; background-color: rgb(255, 255, 255);" class="">             List<Constraint> list = getConstraints(key.getAlgorithm());</div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: "SF Mono"; background-color: rgb(255, 255, 255);" class="">             if (list == null) {</div><div style="margin: 0px; font-stretch: normal; font-size: 11px; line-height: normal; font-family: "SF Mono"; background-color: rgb(255, 255, 255);" class="">                 return true;</div></div><div class=""><br class=""></div><div class="">BTW, my previous suggestion on ConstraintsParameters(...,Key,...) is unrelated. It is used in AlgorithmCheck.java.</div><div class=""><br class=""></div><div class="">Thanks,</div><div class="">Max</div><div class=""><br class=""></div><div class=""><br class=""></div><div class=""><br class=""><blockquote type="cite" class="">On Nov 28, 2019, at 9:26 AM, Weijun Wang <<a href="mailto:weijun.wang@oracle.com" class="">weijun.wang@oracle.com</a>> wrote:<br class=""><br class="">In ConstraintsParameters.java:<br class=""><br class="">You added curveStr assignment in the ConstraintsParameters(X509Certificate,...). Is it also necessary to do the same in the next constructor ConstraintsParameters(...,Key,...)? You can get curve name from the key.<br class=""><br class="">Also, now that a key has a parameter that needs to checked, in the following public method in DisabledAlgorithmConstraints.java<br class=""><br class="">public boolean permits(Key key) {<br class="">   List<Constraint> list = getConstraints(key.getAlgorithm());<br class="">   if (list == null) {<br class="">       return true;<br class="">   }<br class="">   for (Constraint constraint : list) {<br class="">       if (!constraint.permits(key)) {<br class="">           if (debug != null) {<br class="">               debug.println("Constraints: failed key size" +<br class="">                       "constraint check " + KeyUtil.getKeySize(key));<br class="">           }<br class="">           return false;<br class="">       }<br class="">   }<br class="">   return true;<br class="">}<br class=""><br class="">should getConstraints() be called on both the algorithm name and the group name?<br class=""><br class="">Thanks,<br class="">Max<br class=""><br class=""><br class=""><br class=""><blockquote type="cite" class="">On Nov 20, 2019, at 3:44 AM, Anthony Scarpino <<a href="mailto:anthony.scarpino@oracle.com" class="">anthony.scarpino@oracle.com</a>> wrote:<br class=""><br class="">I need a review of a disabled algorithms code change that allows EC curve names to be disabled for all the disabledAlgorithm properties.<br class=""><br class=""><a href="https://cr.openjdk.java.net/~ascarpino/8233228/webrev/" class="">https://cr.openjdk.java.net/~ascarpino/8233228/webrev/</a><br class=""><br class="">Tony<br class=""></blockquote><br class=""></blockquote><br class=""></div></body></html>