Re: [14] RFR: 8233228: Support named curves for all disabledAlgorithms

Wed, 27 Nov 2019 18:29:45 -0800 

More on this.

I've tried using keytool to generate an EC keypair with -groupname contained in 
"jdk.certpath.disabledAlgorithms". It can print out a warning with the 
following extra code change. Feel free to include it if it looks OK to you.

diff --git a/src/java.base/share/classes/sun/security/tools/keytool/Main.java 
b/src/java.base/share/classes/sun/security/tools/keytool/Main.java
--- a/src/java.base/share/classes/sun/security/tools/keytool/Main.java
+++ b/src/java.base/share/classes/sun/security/tools/keytool/Main.java
@@ -4658,7 +4658,7 @@
                     rb.getString("whose.key.risk"),
                     label,
                     String.format(rb.getString("key.bit"),
-                            KeyUtil.getKeySize(key), key.getAlgorithm())));
+                            KeyUtil.getKeySize(key), 
fullDisplayAlgName(key))));
         }
     }
 
diff --git 
a/src/java.base/share/classes/sun/security/util/DisabledAlgorithmConstraints.java
 
b/src/java.base/share/classes/sun/security/util/DisabledAlgorithmConstraints.java
--- 
a/src/java.base/share/classes/sun/security/util/DisabledAlgorithmConstraints.java
+++ 
b/src/java.base/share/classes/sun/security/util/DisabledAlgorithmConstraints.java
@@ -34,6 +34,7 @@
 import java.security.cert.CertPathValidatorException;
 import java.security.cert.CertPathValidatorException.BasicReason;
 import java.security.cert.X509Certificate;
+import java.security.interfaces.ECKey;
 import java.security.spec.ECParameterSpec;
 import java.text.SimpleDateFormat;
 import java.util.ArrayList;
@@ -401,6 +402,17 @@
 
         // Check if KeySizeConstraints permit the specified key
         public boolean permits(Key key) {
+            if (key instanceof ECKey) {
+                String groupname = CurveDB.lookup(((ECKey)key).getParams())
+                        .getName().toUpperCase(Locale.ROOT);
+                if (getConstraints(groupname) != null) {
+                    if (debug != null) {
+                        debug.println("Constraints: failed group name " +
+                                "constraint check " + groupname);
+                    }
+                    return false;
+                }
+            }
             List<Constraint> list = getConstraints(key.getAlgorithm());
             if (list == null) {
                 return true;

BTW, my previous suggestion on ConstraintsParameters(...,Key,...) is unrelated. 
It is used in AlgorithmCheck.java.

Thanks,
Max



> On Nov 28, 2019, at 9:26 AM, Weijun Wang <[email protected]> wrote:
> 
> In ConstraintsParameters.java:
> 
> You added curveStr assignment in the 
> ConstraintsParameters(X509Certificate,...). Is it also necessary to do the 
> same in the next constructor ConstraintsParameters(...,Key,...)? You can get 
> curve name from the key.
> 
> Also, now that a key has a parameter that needs to checked, in the following 
> public method in DisabledAlgorithmConstraints.java
> 
> public boolean permits(Key key) {
>    List<Constraint> list = getConstraints(key.getAlgorithm());
>    if (list == null) {
>        return true;
>    }
>    for (Constraint constraint : list) {
>        if (!constraint.permits(key)) {
>            if (debug != null) {
>                debug.println("Constraints: failed key size" +
>                        "constraint check " + KeyUtil.getKeySize(key));
>            }
>            return false;
>        }
>    }
>    return true;
> }
> 
> should getConstraints() be called on both the algorithm name and the group 
> name?
> 
> Thanks,
> Max
> 
> 
> 
>> On Nov 20, 2019, at 3:44 AM, Anthony Scarpino <[email protected]> 
>> wrote:
>> 
>> I need a review of a disabled algorithms code change that allows EC curve 
>> names to be disabled for all the disabledAlgorithm properties.
>> 
>> https://cr.openjdk.java.net/~ascarpino/8233228/webrev/
>> 
>> Tony
>

Reply via email to