[8u] RFR: 8172404: Tools should warn if weak algorithms are used before restricting them
Martin Balao
mbalao at redhat.com
Wed Feb 3 19:04:27 UTC 2021
Hi Severin,
Thanks for proposing this backport.
On 2/3/21 10:41 AM, Severin Gehwolf wrote:
This allows one to reason
>> that sigalg, tSADigestAlg and digestalg will never be null when new
>> method checkWeakSign() is being called. The former, because of what
>> I've just explained earlier, the latter two because they are being
>> set
>> to default values on object construction in contrast to code in JDK
>> 11u.
In the case of tSADigestAlg and digestalg, my understanding is that you
are assuming that they cannot be null because in 8u they are initialized
upon object construction. I.e.: String digestalg = "SHA-256". However,
I've seen "if (digestalg != null ..." and "if (tSADigestAlg != null ..."
statements in 8u which makes me think that this is not necessarily true,
as if the instance variable can eventually turn null after the object is
created. Otherwise, those checks would be redundant. I've seen a couple
of places where the value is updated. Have you ruled out this possibility?
Martin.-
More information about the jdk8u-dev
mailing list