On Wed, 12 Jan 2022 02:15:45 GMT, Hai-May Chao <hc...@openjdk.org> wrote:
> `keytool` currently uses a simpler scheme in `DisabledAlgorithmConstraints` > class when performing algorithm constraints checks. This change is to enhance > `keytool` to make use of the new methods > `DisabledAlgorithmConstraints.permits` with `CertPathConstraintsParameters` > and `checkKey` parameters. For the keyusage in the EE certificate of a > certificate chains, set the variant accordingly when calling > `CertPathConstraintsParameters` constructor. src/java.base/share/classes/sun/security/tools/keytool/Main.java line 2198: > 2196: ("Certificate.chain.length.") + chain.length); > 2197: > 2198: X509Certificate[] xcerts = convertCerts(chain); I think you can just cast to an `X509Certificate[]` instead of reparsing all the certificates, i.e.: `X509Certificate[] xcerts = (X509Certificate[]) chain;` src/java.base/share/classes/sun/security/tools/keytool/Main.java line 2259: > 2257: } > 2258: cpcp = new > CertPathConstraintsParameters((X509Certificate)cert, > 2259: null,null, null); Nit - add space between `null,null`. src/java.base/share/classes/sun/security/tools/keytool/Main.java line 5048: > 5046: } > 5047: > 5048: private TrustAnchor findTrustAnchor(List<X509Certificate> chain) { I would consider having an initial check that returns `null` if `chain.isEmpty()`. Not sure if that is a valid scenario, but it would avoid an `IndexOOBException` just in case. src/java.base/share/classes/sun/security/tools/keytool/Resources.java line 486: > 484: {"verified.by.s.in.s.weak", "Verified by %1$s in %2$s with a > %3$s"}, > 485: {"whose.sigalg.disabled", "%1$s uses the %2$s signature > algorithm which is considered a security risk and is disabled."}, > 486: {"whose.sigalg.usagesignedjar", "%1$s uses the %2$s signature > algorithm which is considered a security risk and cannot be used to sign JARs > after 2019-01-01."}, Instead of hard-coding "2019-01-01", we should extract this date from the `denyAfter` attribute of the `jdk.certpath.disabledAlgorithms` security property and pass it in as a parameter. ------------- PR: https://git.openjdk.java.net/jdk/pull/7039