On Mon, 24 Jan 2022 21:21:58 GMT, Hai-May Chao <hc...@openjdk.org> wrote:
>> `keytool` currently uses a simpler scheme in `DisabledAlgorithmConstraints`
>> class when performing algorithm constraints checks. This change is to
>> enhance `keytool` to make use of the new methods
>> `DisabledAlgorithmConstraints.permits` with `CertPathConstraintsParameters`
>> and `checkKey` parameters. For the keyusage in the EE certificate of a
>> certificate chains, set the variant accordingly when calling
>> `CertPathConstraintsParameters` constructor.
>
> Hai-May Chao has updated the pull request incrementally with one additional
> commit since the last revision:
>
> Update to get denyAfter and init caks
Changes requested by mullan (Reviewer).
src/java.base/share/classes/sun/security/tools/keytool/Main.java line 1138:
> 1136:
> 1137: if (trustcacerts) {
> 1138: caks = cakstore;
I just realized there is a slight change in behavior in that
`buildTrustedCerts` ignores exceptions, whereas
`KeyStoreUtil.getCacertsKeyStore()` does not. An exception should be a very
rare case, but I recommend changing line 1138 to:
if (cakstore != null) {
caks = cakstore;
} else {
// try to load cacerts again, and let exception propagate if it cannot be
loaded
caks = KeyStoreUtil.getCacertsKeyStore();
}
-------------
PR: https://git.openjdk.java.net/jdk/pull/7039
