[jdk25u-dev] RFR: 8359388: Stricter checking for cipher transformations [v2]

Roland Mesde duke at openjdk.org
Mon Jan 12 16:32:33 UTC 2026 

> Backporting JDK-8359388: Stricter checking for cipher transformations
> 
> This PR addresses a security and specification compliance issue in Java's cryptographic framework. The javax.crypto.Cipher class is supposed to accept transformation strings in two formats: either a simple algorithm name like "AES", or a complete specification like "AES/CBC/PKCS5Padding" that includes algorithm, mode, and padding.
> 
> However, a previous change (JDK-8358159) had made the parser too lenient, allowing malformed transformations with missing components like "AES//" or "AES/CBC/". This created ambiguity about what cryptographic operations would actually be performed, potentially leading to weaker security than developers intended.
> 
> This depends on https://github.com/openjdk/jdk25u-dev/pull/95
> 
> For parity with Oracle JDK.
> 
> Ran related tests on linux-x64, linux-aarch64, macos-aarch64 and windows-x64:
> 
> (Passed) - make test TEST=test/jdk/javax/crypto/Cipher/TestEmptyModePadding.java
> (Passed) - make test TEST=test/jdk/javax/crypto
> 
> Results attached:
> 
> [windows-x64-specific-test.log](https://github.com/user-attachments/files/24439198/windows-x64-specific-test.log)
> [windows-x64-specific-2-test.log](https://github.com/user-attachments/files/24439200/windows-x64-specific-2-test.log)
> [macos-aarch64-specific-test.log](https://github.com/user-attachments/files/24439201/macos-aarch64-specific-test.log)
> [macos-aarch64-specific-2-test.log](https://github.com/user-attachments/files/24439202/macos-aarch64-specific-2-test.log)
> [linux-x64-specific-test.log](https://github.com/user-attachments/files/24439203/linux-x64-specific-test.log)
> [linux-x64-specific-2-test.log](https://github.com/user-attachments/files/24439204/linux-x64-specific-2-test.log)
> [linux-aarch64-specific-test.log](https://github.com/user-attachments/files/24439205/linux-aarch64-specific-test.log)
> [linux-aarch64-specific-2-test.log](https://github.com/user-attachments/files/24439206/linux-aarch64-specific-2-test.log)

Roland Mesde has updated the pull request with a new target base due to a merge or a rebase. The incremental webrev excludes the unrelated changes brought in by the merge/rebase. The pull request contains three additional commits since the last revision:

 - Backport ec7c6be6a9e84c8cd2077fea07930592ddd13669
 - Merge branch 'openjdk:master' into JDK-8358159-V25
 - Backport 3ff83ec49e561c44dd99508364b8ba068274b63a

-------------

Changes:
  - all: https://git.openjdk.org/jdk25u-dev/pull/130/files
  - new: https://git.openjdk.org/jdk25u-dev/pull/130/files/f10acbed..f10acbed

Webrevs:
 - full: https://webrevs.openjdk.org/?repo=jdk25u-dev&pr=130&range=01
 - incr: https://webrevs.openjdk.org/?repo=jdk25u-dev&pr=130&range=00-01

  Stats: 0 lines in 0 files changed: 0 ins; 0 del; 0 mod
  Patch: https://git.openjdk.org/jdk25u-dev/pull/130.diff
  Fetch: git fetch https://git.openjdk.org/jdk25u-dev.git pull/130/head:pull/130

PR: https://git.openjdk.org/jdk25u-dev/pull/130

More information about the jdk-updates-dev mailing list