> This fix improves the exception message to better indicate when the key (and > not the signature algorithm) is restricted. This change also includes a few > other improvements: > > - The constraints checking in `AlgorithmChecker.check()` has been improved. > If the `AlgorithmConstraints` are an instance of > `DisabledAlgorithmConstraints`, the internal `permits` methods are always > called; otherwise the public `permits` methods are called. This makes the > code easier to understand, and fixes at least one case where duplicate checks > were being done. > > - The above change caused some of the exception messages to be slightly > different, so some tests that checked the error messages had to be updated to > reflect that. > > - AlgorithmDecomposer now stores the canonical algorithm names in a Map, > which fixed a bug where "RSASSA-PSS" was not being restricted properly.
Sean Mullan has updated the pull request incrementally with one additional commit since the last revision: - Changed names of AlgorithmDecomposer.canonicalName and decomposeOneHashName methods. - Changed other code in AlgorithmDecomposer to use DECOMPOSED_DIGEST_NAMES Map instead of hardcoding algorithm names. - Changed AlgorithmChecker.trySetTrustAnchor to set trustedPubKey field so that constraints on the key algorithm and size are checked in the check() method if the constraints are an instanceof DisabledAlgorithmConstraints. ------------- Changes: - all: https://git.openjdk.java.net/jdk/pull/5928/files - new: https://git.openjdk.java.net/jdk/pull/5928/files/27045940..cf5a4d7f Webrevs: - full: https://webrevs.openjdk.java.net/?repo=jdk&pr=5928&range=01 - incr: https://webrevs.openjdk.java.net/?repo=jdk&pr=5928&range=00-01 Stats: 73 lines in 3 files changed: 12 ins; 32 del; 29 mod Patch: https://git.openjdk.java.net/jdk/pull/5928.diff Fetch: git fetch https://git.openjdk.java.net/jdk pull/5928/head:pull/5928 PR: https://git.openjdk.java.net/jdk/pull/5928
