Looking good, mostly minor stuff:
AlgorithmChecker
----------------
151 if (trustedMatch && debug != null)
debug.println("trustedMatch = true");
put braces around.
java.security
-------------
553 # lib/security/cacerts.fingerprints file which is initially
seeded with the
lib/security/cacerts.properties file with a "restricted=yes" attribute
which is ...
562 # chain that terminate at a distribution provided trust anchor and
contain
s/terminate/terminates/
s/contain/contains/
CaCertsHasher
-------------
40 * Fingerprint
I recommend specifying a format for the attributes, and then defining a
specific attribute that tags a cert as being restricted. This will make
the properties file more generally useful if we want to add more
attributes later. Ex:
Fingerprint [attribute]{;attribute}
69 if (inFilename == null) {
70 System.err.println("Input file not defined.");
71 }
72 if (outFilename == null) {
73 System.err.println("Output file not defined.");
74 }
You should not continue on error in these cases. I think you should just
change these to:
69 if (inFilename == null) {
70 throw new Exception("Input file not defined.");
71 }
72 if (outFilename == null) {
73 throw new Exception("Output file not defined.");
74 }
81 PrintStream out = new PrintStream(outFilename);
should use try-with-resources to avoid having to close the file.
88 if (verbose) {
89 System.out.println("No certificates in " +
inFilename +
90 ". Hash file not created");
91 }
But you already created the file on line 81.
103 prop.store(out, c.getIssuerX500Principal().getName());
Maybe you should use the keystore alias here instead. DNs can be very long.
AnchorCertificates
------------------
40 * anchor certificate is in the cacerts.fingerprints file which is
43 * file but not the cacerts.fingerprints file would not be a match.
s/cacerts.fingerprints/cacerts.properties/
--Sean
On 03/18/2016 01:09 PM, Anthony Scarpino wrote:
I believe I got everyone's comments. I've updated the webrev.
http://cr.openjdk.java.net/~ascarpino/8140422/webrev.02/
Thanks
Tony
On 02/29/2016 08:55 AM, Anthony Scarpino wrote:
Currently CertPath algorithm restrictions allow or deny all
certificates. This change adds the ability to reject certificate chains
that contain a restricted algorithm and the chain terminates at a root
CA; therefore, allowing a self-signed or chain that does not terminate
at a root CA.
https://bugs.openjdk.java.net/browse/JDK-8140422
Thanks
Tony
