On 11/21/16 5:43 PM, Anthony Scarpino wrote:
On 11/21/2016 01:09 PM, Sean Mullan wrote:
Please review this fix for a bug where certificates were not being
blocked if the algorithm is only listed in the
jdk.tls.disabledAlgorithms property and not the
jdk.certpath.disabledAlgorithms property.
I have modified an existing regression test to test this functionality
as there was no previous test for this feature.
webrev: http://cr.openjdk.java.net/~mullan/webrevs/8170131/webrev.00/
bug: https://bugs.openjdk.java.net/browse/JDK-8170131
--Sean
Is the reason the if() is needed is
constraints.permit(CerttConstraintParameters) is not in the
SSLAlgorithmConstraints class and the method exception is suppressed?
SSLAlgorithmConstraints is not an instanceof
DisabledAlgorithmConstraints. When AlgorithmChecker.check is called, the
previous code (on line 329) would call
certPathDefaultConstraints.permits. This would pass, because the test
has configured jdk.certpath.disabledAlgorithms property to be empty. The
first time through, prevPubKey would also be null, so it would return on
line 335. It would never call SSLAlgorithmConstraints.permits.
Does that make sense?
--Sean
