On Mon, 24 Jan 2022 21:17:42 GMT, Hai-May Chao <hc...@openjdk.org> wrote:
>> src/java.base/share/classes/sun/security/tools/keytool/Main.java line 4908:
>>
>>> 4906: if (eMessage.contains("denyAfter constraint check
>>> failed") &&
>>> 4907: e.getReason() ==
>>> BasicReason.ALGORITHM_CONSTRAINED) {
>>> 4908: String separator = "java.security: ";
>>
>> Did you consider extracting the date from the security property? Ex:
>> `Security.getProperty("jdk.certpath.disabledAlgorithms")`? I think that
>> would be a better solution instead of parsing the exception message, which
>> might change in the future.
>
> Fixed.
After further thought, I'm now not sure my suggestion is any better (sorry for
the rework). It is possible that there could be more than one `denyAfter`
constraint, and in that case, you would need to also match on the algorithm
that the constraint applies to, and that gets pretty complicated.
So, I now think your previous fix is probably better, even though it means we
are depending on the syntax of the exception message. To avoid that from
causing issues in the future, I would enhance your regression test to fail if
the exception message changes in the future such that the denyAfter date cannot
be parsed and is not what is expected.
-------------
PR: https://git.openjdk.java.net/jdk/pull/7039
