When a signature/digest algorithm was being checked, the algorithm constraints checked both the signature/digest algorithm and the key to see if they were restricted. This caused duplicate checks and was also problematic for `jarsigner` (and `keytool`) which need to distinguish these two cases, so that the output can properly indicate when the key is disabled but the signature or digest alg is ok.
To address this issue, a new `checkKey` parameter is added to the `DisabledAlgorithmConstraints.permits` methods. When `true` the key (alg and size) is also checked, otherwise it is not. This flag is always set to `false` by `jarsigner` when checking algs and by the JDK when checking digest algorithms. Other small changes include changes in `SignerInfo` to use a record to store info about the algorithms to be checked, and removing an unnecessary CRL checking method from `AlgorithmChecker`. `keytool` will be enhanced in a subsequent CR to call the new methods. ------------- Commit messages: - Change name of `checkKeySize` param to `checkKey`. - 8275887: jarsigner prints invalid digest/signature algorithm warnings if keysize is weak/disabled Changes: https://git.openjdk.java.net/jdk/pull/6296/files Webrev: https://webrevs.openjdk.java.net/?repo=jdk&pr=6296&range=00 Issue: https://bugs.openjdk.java.net/browse/JDK-8275887 Stats: 128 lines in 9 files changed: 40 ins; 31 del; 57 mod Patch: https://git.openjdk.java.net/jdk/pull/6296.diff Fetch: git fetch https://git.openjdk.java.net/jdk pull/6296/head:pull/6296 PR: https://git.openjdk.java.net/jdk/pull/6296
