RFR: 8281561: Disable http DIGEST mechanism with MD5 by default [v2]
Michael McMahon
michaelm at openjdk.java.net
Thu Mar 10 16:46:50 UTC 2022
On Thu, 10 Mar 2022 14:21:41 GMT, Weijun Wang <weijun at openjdk.org> wrote:
>> Michael McMahon has updated the pull request incrementally with two additional commits since the last revision:
>>
>> - update
>> - update after first review round
>
> src/java.base/share/conf/security/java.security line 711:
>
>> 709: # separated list of algorithms to be allowed.
>> 710: #
>> 711: jdk.httpdigest.defaultDisabledAlgorithms = MD5, MD-5, SHA1, SHA-1
>
> I haven't seen people using "MD-5". It's also not an alias of "MD5" in our own security providers. On the other hand, we support both "SHA1" and "SHA" (and its OID) as aliases of "SHA-1". So, either we list all these aliases here, or we only put the standard names here and "canonicalize" the name when we see one. `sun.security.util.KnownOIDs.findMatch("SHA-1").stdName()` can be used.
The aliases are a PITA. It's a shame there isn't support in the public API to canonicalize the names. But, what I will do is canonicalize the incoming strings from the HTTP server and then we only have to list canonical names in the properties.
-------------
PR: https://git.openjdk.java.net/jdk/pull/7688
More information about the net-dev
mailing list