On Tue, 25 Jan 2022 20:51:17 GMT, Hai-May Chao <hc...@openjdk.org> wrote:

>> `keytool` currently uses a simpler scheme in `DisabledAlgorithmConstraints` 
>> class when performing algorithm constraints checks. This change is to 
>> enhance `keytool` to make use of the new methods 
>> `DisabledAlgorithmConstraints.permits` with `CertPathConstraintsParameters` 
>> and `checkKey` parameters. For the keyusage in the EE certificate of a 
>> certificate chains, set the variant accordingly when calling 
>> `CertPathConstraintsParameters` constructor.
>
> Hai-May Chao has updated the pull request incrementally with one additional 
> commit since the last revision:
> 
>   Revert to get denyAfter from exception and reload caks

src/java.base/share/classes/sun/security/util/DisabledAlgorithmConstraints.java 
line 759:

> 757:                         "denyAfter constraint check failed: " + 
> algorithm +
> 758:                         " used with Constraint date: " +
> 759:                         denyAfterDate + " (in java.security: " + 
> denyAfterString +

An application could override what was in the `java.security` file by setting 
the property directly, so saying `java.security` is not totally precise. 
However, it seems you don't actually need to add this extra info to the 
exception messsage. Could we just use the `denyAfterDate` (after "used with 
Constraint date: ") and reformat it into YYYY-MM-DD format if necessary?

-------------

PR: https://git.openjdk.java.net/jdk/pull/7039

Reply via email to