8244479: Further constrain certificates

Reviewed-by: ascarpino, ahgross, rhalade
2025-08-28 15:24:43 +02:00 · 2020-05-20 08:07:25 -04:00 · 2020-05-20 08:07:25 -04:00 · 27f1ebc0af
commit 27f1ebc0af
parent 5f1918db26
1 changed files with 7 additions and 5 deletions
--- a/src/java.base/share/classes/sun/security/util/DisabledAlgorithmConstraints.java
+++ b/src/java.base/share/classes/sun/security/util/DisabledAlgorithmConstraints.java
@ -300,15 +300,16 @@ public class DisabledAlgorithmConstraints extends AbstractAlgorithmConstraints {
                int space = constraintEntry.indexOf(' ');
                String algorithm = AlgorithmDecomposer.hashName(
                        ((space > 0 ? constraintEntry.substring(0, space) :
-                                constraintEntry).
-                                toUpperCase(Locale.ENGLISH)));
+                                constraintEntry)));
                List<Constraint> constraintList =
-                        constraintsMap.getOrDefault(algorithm,
+                        constraintsMap.getOrDefault(
+                                algorithm.toUpperCase(Locale.ENGLISH),
                                new ArrayList<>(1));

                // Consider the impact of algorithm aliases.
                for (String alias : AlgorithmDecomposer.getAliases(algorithm)) {
-                    constraintsMap.putIfAbsent(alias, constraintList);
+                    constraintsMap.putIfAbsent(
+                            alias.toUpperCase(Locale.ENGLISH), constraintList);
                }

                // If there is no whitespace, it is a algorithm name; however,
@ -400,7 +401,7 @@ public class DisabledAlgorithmConstraints extends AbstractAlgorithmConstraints {

        // Get applicable constraints based off the signature algorithm
        private List<Constraint> getConstraints(String algorithm) {
-            return constraintsMap.get(algorithm);
+            return constraintsMap.get(algorithm.toUpperCase(Locale.ENGLISH));
        }

        // Check if KeySizeConstraints permit the specified key
@ -455,6 +456,7 @@ public class DisabledAlgorithmConstraints extends AbstractAlgorithmConstraints {
            Set<String> algorithms = new HashSet<>();
            if (algorithm != null) {
                algorithms.addAll(AlgorithmDecomposer.decomposeOneHash(algorithm));
+                algorithms.add(algorithm);
            }

            // Attempt to add the public key algorithm if cert provided