[jdk25u-dev] RFR: 8359388: Stricter checking for cipher transformations [v3]
duke
duke at openjdk.org
Mon Jan 12 20:45:37 UTC 2026
On Mon, 12 Jan 2026 20:13:23 GMT, Roland Mesde <duke at openjdk.org> wrote:
>> Backporting JDK-8359388: Stricter checking for cipher transformations
>>
>> This PR addresses a security and specification compliance issue in Java's cryptographic framework. The javax.crypto.Cipher class is supposed to accept transformation strings in two formats: either a simple algorithm name like "AES", or a complete specification like "AES/CBC/PKCS5Padding" that includes algorithm, mode, and padding.
>>
>> However, a previous change (JDK-8358159) had made the parser too lenient, allowing malformed transformations with missing components like "AES//" or "AES/CBC/". This created ambiguity about what cryptographic operations would actually be performed, potentially leading to weaker security than developers intended.
>>
>> This depends on https://github.com/openjdk/jdk25u-dev/pull/95
>>
>> For parity with Oracle JDK.
>>
>> Ran related tests on linux-x64, linux-aarch64, macos-aarch64 and windows-x64:
>>
>> (Passed) - make test TEST=test/jdk/javax/crypto/Cipher/TestEmptyModePadding.java
>> (Passed) - make test TEST=test/jdk/javax/crypto
>>
>> Results attached:
>>
>> [windows-x64-specific-test.log](https://github.com/user-attachments/files/24439198/windows-x64-specific-test.log)
>> [windows-x64-specific-2-test.log](https://github.com/user-attachments/files/24439200/windows-x64-specific-2-test.log)
>> [macos-aarch64-specific-test.log](https://github.com/user-attachments/files/24439201/macos-aarch64-specific-test.log)
>> [macos-aarch64-specific-2-test.log](https://github.com/user-attachments/files/24439202/macos-aarch64-specific-2-test.log)
>> [linux-x64-specific-test.log](https://github.com/user-attachments/files/24439203/linux-x64-specific-test.log)
>> [linux-x64-specific-2-test.log](https://github.com/user-attachments/files/24439204/linux-x64-specific-2-test.log)
>> [linux-aarch64-specific-test.log](https://github.com/user-attachments/files/24439205/linux-aarch64-specific-test.log)
>> [linux-aarch64-specific-2-test.log](https://github.com/user-attachments/files/24439206/linux-aarch64-specific-2-test.log)
>
> Roland Mesde has updated the pull request with a new target base due to a merge or a rebase. The incremental webrev excludes the unrelated changes brought in by the merge/rebase. The pull request contains four additional commits since the last revision:
>
> - Merge master
> - Backport ec7c6be6a9e84c8cd2077fea07930592ddd13669
> - Merge branch 'openjdk:master' into JDK-8358159-V25
> - Backport 3ff83ec49e561c44dd99508364b8ba068274b63a
@rm-gh-8
Your change (at version 9c3a5d2d7c39047b1ebfe095aa5d190cd6737a45) is now ready to be sponsored by a Committer.
-------------
PR Comment: https://git.openjdk.org/jdk25u-dev/pull/130#issuecomment-3740411174
More information about the jdk-updates-dev
mailing list