8275887: jarsigner prints invalid digest/signature algorithm warnings if keysize is weak/disabled

Alexey Bakhtin · Alexey Bakhtin · commit 53620b38d3d4 · 2022-12-01T06:17:19.000Z
Reviewed-by: phh, andrew
Backport-of: 03f8c0fb9363dc1bb07bed1ae0359c029caa0130
diff --git a/jdk/src/share/classes/sun/security/pkcs/SignerInfo.java b/jdk/src/share/classes/sun/security/pkcs/SignerInfo.java
@@ -84,10 +84,21 @@ public class SignerInfo implements DerEncoder {
     /**
      * A map containing the algorithms in this SignerInfo. This is used to
      * avoid checking algorithms to see if they are disabled more than once.
-     * The key is the AlgorithmId of the algorithm, and the value is the name of
-     * the field or attribute.
+     * The key is the AlgorithmId of the algorithm, and the value is a record
+     * containing the name of the field or attribute and whether the key
+     * should also be checked (ex: if it is a signature algorithm).
      */
-    private Map<AlgorithmId, String> algorithms = new HashMap<>();
+    private class AlgorithmInfo {
+        String field;
+        boolean checkKey;
+        private AlgorithmInfo(String f, boolean cK) {
+            field = f;
+            checkKey = cK;
+        }
+        String field() { return field; }
+        boolean checkKey() { return checkKey; }
+    }
+    private Map<AlgorithmId, AlgorithmInfo> algorithms = new HashMap<>();
 
     public SignerInfo(X500Name  issuerName,
                       BigInteger serial,
@@ -323,7 +334,8 @@ SignerInfo verify(PKCS7 block, byte[] data)
             }
 
             String digestAlgName = digestAlgorithmId.getName();
-            algorithms.put(digestAlgorithmId, "SignerInfo digestAlgorithm field");
+            algorithms.put(digestAlgorithmId,
+                new AlgorithmInfo("SignerInfo digestAlgorithm field", false));
 
             byte[] dataSigned;
 
@@ -382,7 +394,8 @@ SignerInfo verify(PKCS7 block, byte[] data)
                     new AlgorithmId(oid,
                             digestEncryptionAlgorithmId.getParameters());
                 algorithms.put(sigAlgId,
-                    "SignerInfo digestEncryptionAlgorithm field");
+                    new AlgorithmInfo(
+                        "SignerInfo digestEncryptionAlgorithm field", true));
             } catch (NoSuchAlgorithmException ignore) {
             }
 
@@ -569,7 +582,8 @@ private void verifyTimestamp(TimestampToken token)
         throws NoSuchAlgorithmException, SignatureException {
 
         AlgorithmId digestAlgId = token.getHashAlgorithm();
-        algorithms.put(digestAlgId, "TimestampToken digestAlgorithm field");
+        algorithms.put(digestAlgId,
+            new AlgorithmInfo("TimestampToken digestAlgorithm field", false));
 
         MessageDigest md = MessageDigest.getInstance(digestAlgId.getName());
 
@@ -626,18 +640,19 @@ public String toString() {
      */
     public static Set<String> verifyAlgorithms(SignerInfo[] infos,
         JarConstraintsParameters params, String name) throws SignatureException {
-        Map<AlgorithmId, String> algorithms = new HashMap<>();
+        Map<AlgorithmId, AlgorithmInfo> algorithms = new HashMap<>();
         for (SignerInfo info : infos) {
             algorithms.putAll(info.algorithms);
         }
 
         Set<String> enabledAlgorithms = new HashSet<>();
         try {
-            for (Map.Entry<AlgorithmId, String> algorithm : algorithms.entrySet()) {
-                params.setExtendedExceptionMsg(name, algorithm.getValue());
-                AlgorithmId algId = algorithm.getKey();
+            for (Map.Entry<AlgorithmId,AlgorithmInfo> algEntry : algorithms.entrySet()) {
+                AlgorithmInfo info = algEntry.getValue();
+                params.setExtendedExceptionMsg(name, info.field());
+                AlgorithmId algId = algEntry.getKey();
                 JAR_DISABLED_CHECK.permits(algId.getName(),
-                    algId.getParameters(), params);
+                    algId.getParameters(), params, info.checkKey());
                 enabledAlgorithms.add(algId.getName());
             }
         } catch (CertPathValidatorException e) {
diff --git a/jdk/src/share/classes/sun/security/provider/certpath/AlgorithmChecker.java b/jdk/src/share/classes/sun/security/provider/certpath/AlgorithmChecker.java
@@ -38,7 +38,6 @@
 import java.security.AlgorithmParameters;
 import java.security.GeneralSecurityException;
 import java.security.cert.Certificate;
-import java.security.cert.X509CRL;
 import java.security.cert.X509Certificate;
 import java.security.cert.PKIXCertPathChecker;
 import java.security.cert.TrustAnchor;
@@ -57,7 +56,6 @@
 import sun.security.validator.Validator;
 import sun.security.x509.AlgorithmId;
 import sun.security.x509.X509CertImpl;
-import sun.security.x509.X509CRLImpl;
 
 /**
  * A {@code PKIXCertPathChecker} implementation to check whether a
@@ -285,13 +283,13 @@ public void check(Certificate cert,
         // Check against local constraints if it is DisabledAlgorithmConstraints
         if (constraints instanceof DisabledAlgorithmConstraints) {
             ((DisabledAlgorithmConstraints)constraints).permits(currSigAlg,
-                currSigAlgParams, cp);
+                currSigAlgParams, cp, true);
             // DisabledAlgorithmsConstraints does not check primitives, so key
             // additional key check.
 
         } else {
             // Perform the default constraints checking anyway.
-            certPathDefaultConstraints.permits(currSigAlg, currSigAlgParams, cp);
+            certPathDefaultConstraints.permits(currSigAlg, currSigAlgParams, cp, true);
             // Call locally set constraints to check key with primitives.
             if (!constraints.permits(primitives, currPubKey)) {
                 throw new CertPathValidatorException(
@@ -377,29 +375,6 @@ void trySetTrustAnchor(TrustAnchor anchor) {
         }
     }
 
-    /**
-     * Check the signature algorithm with the specified public key.
-     *
-     * @param key the public key to verify the CRL signature
-     * @param crl the target CRL
-     * @param variant the Validator variant of the operation. A null value
-     *                passed will set it to Validator.GENERIC.
-     * @param anchor the trust anchor selected to validate the CRL issuer
-     */
-    static void check(PublicKey key, X509CRL crl, String variant,
-                      TrustAnchor anchor) throws CertPathValidatorException {
-
-        X509CRLImpl x509CRLImpl = null;
-        try {
-            x509CRLImpl = X509CRLImpl.toImpl(crl);
-        } catch (CRLException ce) {
-            throw new CertPathValidatorException(ce);
-        }
-
-        AlgorithmId algorithmId = x509CRLImpl.getSigAlgId();
-        check(key, algorithmId, variant, anchor);
-    }
-
     /**
      * Check the signature algorithm with the specified public key.
      *
@@ -414,7 +389,7 @@ static void check(PublicKey key, AlgorithmId algorithmId, String variant,
 
         certPathDefaultConstraints.permits(algorithmId.getName(),
             algorithmId.getParameters(),
-            new CertPathConstraintsParameters(key, variant, anchor));
+            new CertPathConstraintsParameters(key, variant, anchor), true);
     }
 }
 
diff --git a/jdk/src/share/classes/sun/security/provider/certpath/DistributionPointFetcher.java b/jdk/src/share/classes/sun/security/provider/certpath/DistributionPointFetcher.java
@@ -689,7 +689,8 @@ static boolean verifyCRL(X509CertImpl certImpl, DistributionPoint point,
 
         // check the crl signature algorithm
         try {
-            AlgorithmChecker.check(prevKey, crl, variant, anchor);
+            AlgorithmChecker.check(prevKey, crlImpl.getSigAlgId(),
+                                   variant, anchor);
         } catch (CertPathValidatorException cpve) {
             if (debug != null) {
                 debug.println("CRL signature algorithm check failed: " + cpve);
diff --git a/jdk/src/share/classes/sun/security/tools/jarsigner/Main.java b/jdk/src/share/classes/sun/security/tools/jarsigner/Main.java
@@ -904,9 +904,14 @@ void verifyJar(String jarName)
                                 Calendar c = Calendar.getInstance(
                                         TimeZone.getTimeZone("UTC"),
                                         Locale.getDefault(Locale.Category.FORMAT));
-                                c.setTime(tsTokenInfo.getDate());
+                                Date tsDate = tsTokenInfo.getDate();
+                                c.setTime(tsDate);
                                 JarConstraintsParameters jcp =
-                                    new JarConstraintsParameters(chain, si.getTimestamp());
+                                    new JarConstraintsParameters(chain, tsDate);
+                                JarConstraintsParameters jcpts =
+                                    new JarConstraintsParameters(
+                                        tsSi.getCertificateChain(tsToken),
+                                        tsDate);
                                 history = String.format(
                                         rb.getString("history.with.ts"),
                                         signer.getSubjectX500Principal(),
@@ -915,9 +920,9 @@ void verifyJar(String jarName)
                                         verifyWithWeak(key, jcp),
                                         c,
                                         tsSigner.getSubjectX500Principal(),
-                                        verifyWithWeak(tsDigestAlg, DIGEST_PRIMITIVE_SET, true, jcp),
-                                        verifyWithWeak(tsSigAlg, SIG_PRIMITIVE_SET, true, jcp),
-                                        verifyWithWeak(tsKey, jcp));
+                                        verifyWithWeak(tsDigestAlg, DIGEST_PRIMITIVE_SET, true, jcpts),
+                                        verifyWithWeak(tsSigAlg, SIG_PRIMITIVE_SET, true, jcpts),
+                                        verifyWithWeak(tsKey, jcpts));
                             } else {
                                 JarConstraintsParameters jcp =
                                     new JarConstraintsParameters(chain, null);
@@ -1267,13 +1272,13 @@ private String verifyWithWeak(String alg, Set<CryptoPrimitive> primitiveSet,
         boolean tsa, JarConstraintsParameters jcp) {
 
         try {
-            DISABLED_CHECK.permits(alg, jcp);
+            DISABLED_CHECK.permits(alg, jcp, false);
         } catch (CertPathValidatorException e) {
             disabledAlgFound = true;
             return String.format(rb.getString("with.disabled"), alg);
         }
         try {
-            LEGACY_CHECK.permits(alg, jcp);
+            LEGACY_CHECK.permits(alg, jcp, false);
             return alg;
         } catch (CertPathValidatorException e) {
             if (primitiveSet == SIG_PRIMITIVE_SET) {
@@ -1295,13 +1300,13 @@ private String verifyWithWeak(String alg, Set<CryptoPrimitive> primitiveSet,
     private String verifyWithWeak(PublicKey key, JarConstraintsParameters jcp) {
         int kLen = KeyUtil.getKeySize(key);
         try {
-            DISABLED_CHECK.permits(key.getAlgorithm(), jcp);
+            DISABLED_CHECK.permits(key.getAlgorithm(), jcp, true);
         } catch (CertPathValidatorException e) {
             disabledAlgFound = true;
             return String.format(rb.getString("key.bit.disabled"), kLen);
         }
         try {
-            LEGACY_CHECK.permits(key.getAlgorithm(), jcp);
+            LEGACY_CHECK.permits(key.getAlgorithm(), jcp, true);
             if (kLen >= 0) {
                 return String.format(rb.getString("key.bit"), kLen);
             } else {
@@ -1318,9 +1323,9 @@ private void checkWeakSign(String alg, Set<CryptoPrimitive> primitiveSet,
         boolean tsa, JarConstraintsParameters jcp) {
 
         try {
-            DISABLED_CHECK.permits(alg, jcp);
+            DISABLED_CHECK.permits(alg, jcp, false);
             try {
-                LEGACY_CHECK.permits(alg, jcp);
+                LEGACY_CHECK.permits(alg, jcp, false);
             } catch (CertPathValidatorException e) {
                 if (primitiveSet == SIG_PRIMITIVE_SET) {
                     legacyAlg |= 2;
@@ -1347,9 +1352,9 @@ private void checkWeakSign(String alg, Set<CryptoPrimitive> primitiveSet,
 
     private void checkWeakSign(PrivateKey key, JarConstraintsParameters jcp) {
         try {
-            DISABLED_CHECK.permits(key.getAlgorithm(), jcp);
+            DISABLED_CHECK.permits(key.getAlgorithm(), jcp, true);
             try {
-                LEGACY_CHECK.permits(key.getAlgorithm(), jcp);
+                LEGACY_CHECK.permits(key.getAlgorithm(), jcp, true);
             } catch (CertPathValidatorException e) {
                 legacyAlg |= 8;
             }
diff --git a/jdk/src/share/classes/sun/security/util/DisabledAlgorithmConstraints.java b/jdk/src/share/classes/sun/security/util/DisabledAlgorithmConstraints.java
@@ -192,16 +192,16 @@ public final boolean permits(Set<CryptoPrimitive> primitives,
     }
 
     public final void permits(String algorithm, AlgorithmParameters ap,
-        ConstraintsParameters cp) throws CertPathValidatorException {
-
-        permits(algorithm, cp);
+            ConstraintsParameters cp, boolean checkKey)
+            throws CertPathValidatorException {
+        permits(algorithm, cp, checkKey);
         if (ap != null) {
             permits(ap, cp);
         }
     }
 
     private void permits(AlgorithmParameters ap, ConstraintsParameters cp)
-        throws CertPathValidatorException {
+            throws CertPathValidatorException {
 
         switch (ap.getAlgorithm().toUpperCase(Locale.ENGLISH)) {
             case "RSASSA-PSS":
@@ -219,36 +219,38 @@ private void permitsPSSParams(AlgorithmParameters ap,
             PSSParameterSpec pssParams =
                 ap.getParameterSpec(PSSParameterSpec.class);
             String digestAlg = pssParams.getDigestAlgorithm();
-            permits(digestAlg, cp);
+            permits(digestAlg, cp, false);
             AlgorithmParameterSpec mgfParams = pssParams.getMGFParameters();
             if (mgfParams instanceof MGF1ParameterSpec) {
                 String mgfDigestAlg =
                     ((MGF1ParameterSpec)mgfParams).getDigestAlgorithm();
                 if (!mgfDigestAlg.equalsIgnoreCase(digestAlg)) {
-                    permits(mgfDigestAlg, cp);
+                    permits(mgfDigestAlg, cp, false);
                 }
             }
         } catch (InvalidParameterSpecException ipse) {
             // ignore
         }
     }
 
-    public final void permits(String algorithm, ConstraintsParameters cp)
-            throws CertPathValidatorException {
+    public final void permits(String algorithm, ConstraintsParameters cp,
+            boolean checkKey) throws CertPathValidatorException {
 
-        // Check if named curves in the key are disabled.
-        for (Key key : cp.getKeys()) {
-            for (String curve : getNamedCurveFromKey(key)) {
-                if (!checkAlgorithm(disabledAlgorithms, curve, decomposer)) {
-                    throw new CertPathValidatorException(
+        if (checkKey) {
+            // Check if named curves in the key are disabled.
+            for (Key key : cp.getKeys()) {
+                for (String curve : getNamedCurveFromKey(key)) {
+                    if (!checkAlgorithm(disabledAlgorithms, curve, decomposer)) {
+                        throw new CertPathValidatorException(
                             "Algorithm constraints check failed on disabled " +
                                     "algorithm: " + curve,
                             null, null, -1, BasicReason.ALGORITHM_CONSTRAINED);
+                    }
                 }
             }
         }
 
-        algorithmConstraints.permits(algorithm, cp);
+        algorithmConstraints.permits(algorithm, cp, checkKey);
     }
 
     private static List<String> getNamedCurveFromKey(Key key) {
@@ -479,8 +481,8 @@ public boolean permits(String algorithm, AlgorithmParameters aps) {
             return true;
         }
 
-        public void permits(String algorithm, ConstraintsParameters cp)
-                throws CertPathValidatorException {
+        public void permits(String algorithm, ConstraintsParameters cp,
+                boolean checkKey) throws CertPathValidatorException {
 
             if (debug != null) {
                 debug.println("Constraints.permits(): " + algorithm + ", "
@@ -494,8 +496,10 @@ public void permits(String algorithm, ConstraintsParameters cp)
                 algorithms.add(algorithm);
             }
 
-            for (Key key : cp.getKeys()) {
-                algorithms.add(key.getAlgorithm());
+            if (checkKey) {
+                for (Key key : cp.getKeys()) {
+                    algorithms.add(key.getAlgorithm());
+                }
             }
 
             // Check all applicable constraints
@@ -505,6 +509,9 @@ public void permits(String algorithm, ConstraintsParameters cp)
                     continue;
                 }
                 for (Constraint constraint : list) {
+                    if (!checkKey && constraint instanceof KeySizeConstraint) {
+                        continue;
+                    }
                     constraint.permits(cp);
                 }
             }
diff --git a/jdk/src/share/classes/sun/security/util/JarConstraintsParameters.java b/jdk/src/share/classes/sun/security/util/JarConstraintsParameters.java
@@ -98,16 +98,11 @@ public JarConstraintsParameters(CodeSigner[] signers) {
         this.timestamp = latestTimestamp;
     }
 
-    public JarConstraintsParameters(List<X509Certificate> chain, Timestamp timestamp) {
+    public JarConstraintsParameters(List<X509Certificate> chain, Date timestamp) {
         this.keys = new HashSet<>();
         this.certsIssuedByAnchor = new HashSet<>();
         addToCertsAndKeys(chain);
-        if (timestamp != null) {
-            addToCertsAndKeys(timestamp.getSignerCertPath());
-            this.timestamp = timestamp.getTimestamp();
-        } else {
-            this.timestamp = null;
-        }
+        this.timestamp = timestamp;
     }
 
     // extract last certificate and signer's public key from chain
@@ -178,7 +173,7 @@ public void setExtendedExceptionMsg(String file, String target) {
 
     @Override
     public String extendedExceptionMsg() {
-        return message;
+        return message == null ? "." : message;
     }
 
     @Override
diff --git a/jdk/src/share/classes/sun/security/util/ManifestEntryVerifier.java b/jdk/src/share/classes/sun/security/util/ManifestEntryVerifier.java
@@ -217,7 +217,7 @@ public CodeSigner[] verify(Hashtable<String, CodeSigner[]> verifiedSigners,
                     params.setExtendedExceptionMsg(JarFile.MANIFEST_NAME,
                         name + " entry");
                     DisabledAlgorithmConstraints.jarConstraints()
-                           .permits(digest.getAlgorithm(), params);
+                           .permits(digest.getAlgorithm(), params, false);
                 } catch (GeneralSecurityException e) {
                     if (debug != null) {
                         debug.println("Digest algorithm is restricted: " + e);
diff --git a/jdk/src/share/classes/sun/security/util/SignatureFileVerifier.java b/jdk/src/share/classes/sun/security/util/SignatureFileVerifier.java
@@ -360,7 +360,7 @@ private boolean permittedCheck(String key, String algorithm) {
             try {
                 params.setExtendedExceptionMsg(name + ".SF", key + " attribute");
                 DisabledAlgorithmConstraints
-                    .jarConstraints().permits(algorithm, params);
+                    .jarConstraints().permits(algorithm, params, false);
             } catch (GeneralSecurityException e) {
                 permittedAlgs.put(algorithm, Boolean.FALSE);
                 permittedAlgs.put(key.toUpperCase(), Boolean.FALSE);
diff --git a/jdk/test/sun/security/tools/jarsigner/TimestampCheck.java b/jdk/test/sun/security/tools/jarsigner/TimestampCheck.java

Original file line number	Diff line number	Diff line change
`@@ -192,16 +192,16 @@ public final boolean permits(Set<CryptoPrimitive> primitives,`
`192`	`192`	`}`
`193`	`193`
`194`	`194`	`public final void permits(String algorithm, AlgorithmParameters ap,`
`195`		`- ConstraintsParameters cp) throws CertPathValidatorException {`
`196`		`-`
`197`		`- permits(algorithm, cp);`
	`195`	`+ ConstraintsParameters cp, boolean checkKey)`
	`196`	`+ throws CertPathValidatorException {`
	`197`	`+ permits(algorithm, cp, checkKey);`
`198`	`198`	`if (ap != null) {`
`199`	`199`	`permits(ap, cp);`
`200`	`200`	`}`
`201`	`201`	`}`
`202`	`202`
`203`	`203`	`private void permits(AlgorithmParameters ap, ConstraintsParameters cp)`
`204`		`- throws CertPathValidatorException {`
	`204`	`+ throws CertPathValidatorException {`
`205`	`205`
`206`	`206`	`switch (ap.getAlgorithm().toUpperCase(Locale.ENGLISH)) {`
`207`	`207`	`case "RSASSA-PSS":`
`@@ -219,36 +219,38 @@ private void permitsPSSParams(AlgorithmParameters ap,`
`219`	`219`	`PSSParameterSpec pssParams =`
`220`	`220`	`ap.getParameterSpec(PSSParameterSpec.class);`
`221`	`221`	`String digestAlg = pssParams.getDigestAlgorithm();`
`222`		`- permits(digestAlg, cp);`
	`222`	`+ permits(digestAlg, cp, false);`
`223`	`223`	`AlgorithmParameterSpec mgfParams = pssParams.getMGFParameters();`
`224`	`224`	`if (mgfParams instanceof MGF1ParameterSpec) {`
`225`	`225`	`String mgfDigestAlg =`
`226`	`226`	`((MGF1ParameterSpec)mgfParams).getDigestAlgorithm();`
`227`	`227`	`if (!mgfDigestAlg.equalsIgnoreCase(digestAlg)) {`
`228`		`- permits(mgfDigestAlg, cp);`
	`228`	`+ permits(mgfDigestAlg, cp, false);`
`229`	`229`	`}`
`230`	`230`	`}`
`231`	`231`	`} catch (InvalidParameterSpecException ipse) {`
`232`	`232`	`// ignore`
`233`	`233`	`}`
`234`	`234`	`}`
`235`	`235`
`236`		`- public final void permits(String algorithm, ConstraintsParameters cp)`
`237`		`- throws CertPathValidatorException {`
	`236`	`+ public final void permits(String algorithm, ConstraintsParameters cp,`
	`237`	`+ boolean checkKey) throws CertPathValidatorException {`
`238`	`238`
`239`		`- // Check if named curves in the key are disabled.`
`240`		`- for (Key key : cp.getKeys()) {`
`241`		`- for (String curve : getNamedCurveFromKey(key)) {`
`242`		`- if (!checkAlgorithm(disabledAlgorithms, curve, decomposer)) {`
`243`		`- throw new CertPathValidatorException(`
	`239`	`+ if (checkKey) {`
	`240`	`+ // Check if named curves in the key are disabled.`
	`241`	`+ for (Key key : cp.getKeys()) {`
	`242`	`+ for (String curve : getNamedCurveFromKey(key)) {`
	`243`	`+ if (!checkAlgorithm(disabledAlgorithms, curve, decomposer)) {`
	`244`	`+ throw new CertPathValidatorException(`
`244`	`245`	`"Algorithm constraints check failed on disabled " +`
`245`	`246`	`"algorithm: " + curve,`
`246`	`247`	`null, null, -1, BasicReason.ALGORITHM_CONSTRAINED);`
	`248`	`+ }`
`247`	`249`	`}`
`248`	`250`	`}`
`249`	`251`	`}`
`250`	`252`
`251`		`- algorithmConstraints.permits(algorithm, cp);`
	`253`	`+ algorithmConstraints.permits(algorithm, cp, checkKey);`
`252`	`254`	`}`
`253`	`255`
`254`	`256`	`private static List<String> getNamedCurveFromKey(Key key) {`
`@@ -479,8 +481,8 @@ public boolean permits(String algorithm, AlgorithmParameters aps) {`
`479`	`481`	`return true;`
`480`	`482`	`}`
`481`	`483`
`482`		`- public void permits(String algorithm, ConstraintsParameters cp)`
`483`		`- throws CertPathValidatorException {`
	`484`	`+ public void permits(String algorithm, ConstraintsParameters cp,`
	`485`	`+ boolean checkKey) throws CertPathValidatorException {`
`484`	`486`
`485`	`487`	`if (debug != null) {`
`486`	`488`	`debug.println("Constraints.permits(): " + algorithm + ", "`
`@@ -494,8 +496,10 @@ public void permits(String algorithm, ConstraintsParameters cp)`
`494`	`496`	`algorithms.add(algorithm);`
`495`	`497`	`}`
`496`	`498`
`497`		`- for (Key key : cp.getKeys()) {`
`498`		`- algorithms.add(key.getAlgorithm());`
	`499`	`+ if (checkKey) {`
	`500`	`+ for (Key key : cp.getKeys()) {`
	`501`	`+ algorithms.add(key.getAlgorithm());`
	`502`	`+ }`
`499`	`503`	`}`
`500`	`504`
`501`	`505`	`// Check all applicable constraints`
`@@ -505,6 +509,9 @@ public void permits(String algorithm, ConstraintsParameters cp)`
`505`	`509`	`continue;`
`506`	`510`	`}`
`507`	`511`	`for (Constraint constraint : list) {`
	`512`	`+ if (!checkKey && constraint instanceof KeySizeConstraint) {`
	`513`	`+ continue;`
	`514`	`+ }`
`508`	`515`	`constraint.permits(cp);`
`509`	`516`	`}`
`510`	`517`	`}`