Hello,
In AlgorithmChecker the Javadoc seems to not follow "@param name desc" format
(in two places). Also it should most likely describe something like "time the
signature claimed to be made to check time range limited ciphers after that
date or similiar)
* @param PKIXParameter timestamp (or null)
DisabledAlgorithmConstrained: The regular expression allows denyafter20160101
its clear, but \s+ might be clearer? Can optional iso Idate seperators, be
added. "(\d {4})-?(\d {2})-?...."
The lowercase constraint classes are rather strange, but fits into existing
code...
I dont see in the patch how the date param is certified. Is this only the
issued date as certified (by the weak) signature or does it look at timestamps
(especially codesigning) too?
There are a few conditions which could be unit tested:
RSA keySize <= 1024 & disablesAfter 20160101 SHA1 disabledAfter 20160102 //
valid
RSA disabledAfter 20160101 & disabledAfter 20160101 // not valid
Etc
Gruss
Bernd
--
http://bernd.eckenfels.net
-----Original Message-----
From: Anthony Scarpino <anthony.scarp...@oracle.com>
To: OpenJDK Security <security-dev@openjdk.java.net>
Sent: Do., 12 Mai 2016 1:16
Subject: RFR 8154005: Add algorithm constraint that specifies the restriction
date
Please review the changes related to 8154005. This is a continuation
JEP-288. It adds a denyAfter constraint the stops PKIX algorithm
support at a specified date.
http://cr.openjdk.java.net/~ascarpino/8154005/webrev/
thanks
Tony
