Re: RFR: 8273236: keytool does not accurately warn about algorithms that are disabled but have additional constraints

Fri, 14 Jan 2022 08:34:52 -0800 

On Wed, 12 Jan 2022 02:15:45 GMT, Hai-May Chao <[email protected]> wrote:

> `keytool` currently uses a simpler scheme in `DisabledAlgorithmConstraints` 
> class when performing algorithm constraints checks. This change is to enhance 
> `keytool` to make use of the new methods 
> `DisabledAlgorithmConstraints.permits` with `CertPathConstraintsParameters` 
> and `checkKey` parameters. For the keyusage in the EE certificate of a 
> certificate chains, set the variant accordingly when calling 
> `CertPathConstraintsParameters` constructor.

src/java.base/share/classes/sun/security/tools/keytool/Main.java line 2198:

> 2196:                         ("Certificate.chain.length.") + chain.length);
> 2197: 
> 2198:                     X509Certificate[] xcerts = convertCerts(chain);

I think you can just cast to an `X509Certificate[]` instead of reparsing all 
the certificates, i.e.:

`X509Certificate[] xcerts = (X509Certificate[]) chain;`

src/java.base/share/classes/sun/security/tools/keytool/Main.java line 2259:

> 2257:             }
> 2258:             cpcp = new 
> CertPathConstraintsParameters((X509Certificate)cert,
> 2259:                     null,null, null);

Nit - add space between `null,null`.

src/java.base/share/classes/sun/security/tools/keytool/Main.java line 5048:

> 5046:     }
> 5047: 
> 5048:     private TrustAnchor findTrustAnchor(List<X509Certificate> chain) {

I would consider having an initial check that returns `null` if 
`chain.isEmpty()`. Not sure if that is a valid scenario, but it would avoid an 
`IndexOOBException` just in case.

src/java.base/share/classes/sun/security/tools/keytool/Resources.java line 486:

> 484:         {"verified.by.s.in.s.weak", "Verified by %1$s in %2$s with a 
> %3$s"},
> 485:         {"whose.sigalg.disabled", "%1$s uses the %2$s signature 
> algorithm which is considered a security risk and is disabled."},
> 486:         {"whose.sigalg.usagesignedjar", "%1$s uses the %2$s signature 
> algorithm which is considered a security risk and cannot be used to sign JARs 
> after 2019-01-01."},

Instead of hard-coding "2019-01-01", we should extract this date from the 
`denyAfter` attribute of the `jdk.certpath.disabledAlgorithms` security 
property and pass it in as a parameter.

-------------

PR: https://git.openjdk.java.net/jdk/pull/7039

Reply via email to