On Wed, 13 Oct 2021 13:42:25 GMT, Sean Mullan <mul...@openjdk.org> wrote:
> This fix improves the exception message to better indicate when the key (and
> not the signature algorithm) is restricted. This change also includes a few
> other improvements:
>
> - The constraints checking in `AlgorithmChecker.check()` has been improved.
> If the `AlgorithmConstraints` are an instance of
> `DisabledAlgorithmConstraints`, the internal `permits` methods are always
> called; otherwise the public `permits` methods are called. This makes the
> code easier to understand, and fixes at least one case where duplicate checks
> were being done.
>
> - The above change caused some of the exception messages to be slightly
> different, so some tests that checked the error messages had to be updated to
> reflect that.
>
> - AlgorithmDecomposer now stores the canonical algorithm names in a Map,
> which fixed a bug where "RSASSA-PSS" was not being restricted properly.
src/java.base/share/classes/sun/security/util/AlgorithmDecomposer.java line 48:
> 46: "SHA-384", "SHA384", "SHA-512", "SHA512", "SHA-512/224",
> 47: "SHA512/224", "SHA-512/256", "SHA512/256");
> 48:
Do you want to support the "SHA" -> "SHA1" mapping?
src/java.base/share/classes/sun/security/util/AlgorithmDecomposer.java line 196:
> 194: static String canonicalName(String algorithm) {
> 195: return CANONICAL_NAME.getOrDefault(algorithm, algorithm);
> 196: }
I'm not sure if `canonicalName` is good. Normally, we say "SHA-1" is the
standard name but this method changes it to "SHA1".
-------------
PR: https://git.openjdk.java.net/jdk/pull/5928
