On Mon, 24 Jan 2022 21:17:42 GMT, Hai-May Chao <hc...@openjdk.org> wrote:

>> src/java.base/share/classes/sun/security/tools/keytool/Main.java line 4908:
>> 
>>> 4906:                 if (eMessage.contains("denyAfter constraint check 
>>> failed") &&
>>> 4907:                         e.getReason() == 
>>> BasicReason.ALGORITHM_CONSTRAINED) {
>>> 4908:                     String separator = "java.security: ";
>> 
>> Did you consider extracting the date from the security property? Ex: 
>> `Security.getProperty("jdk.certpath.disabledAlgorithms")`? I think that 
>> would be a better solution instead of parsing the exception message, which 
>> might change in the future.
>
> Fixed.

After further thought, I'm now not sure my suggestion is any better (sorry for 
the rework). It is possible that there could be more than one `denyAfter` 
constraint, and in that case, you would need to also match on the algorithm 
that the constraint applies to, and that gets pretty complicated.

So, I now think your previous fix is probably better, even though it means we 
are depending on the syntax of the exception message. To avoid that from 
causing issues in the future, I would enhance your regression test to fail if 
the exception message changes in the future such that the denyAfter date cannot 
be parsed and is not what is expected.

-------------

PR: https://git.openjdk.java.net/jdk/pull/7039

Reply via email to