[14] RFR: 8233228: Support named curves for all disabledAlgorithms

Anthony Scarpino anthony.scarpino at oracle.com
Mon Dec 2 03:32:00 UTC 2019


On 11/27/19 5:26 PM, Weijun Wang wrote:
> In ConstraintsParameters.java:
> 
> You added curveStr assignment in the ConstraintsParameters(X509Certificate,...). Is it also necessary to do the same in the next constructor ConstraintsParameters(...,Key,...)? You can get curve name from the key.

I do not believe it is necessary because the algorithm, such as EC or 
AES, checks the key length . Also named curves do not have variable key 
lengths that I know of

Tony

> 
> Also, now that a key has a parameter that needs to checked, in the following public method in DisabledAlgorithmConstraints.java
> 
> public boolean permits(Key key) {
>      List<Constraint> list = getConstraints(key.getAlgorithm());
>      if (list == null) {
>          return true;
>      }
>      for (Constraint constraint : list) {
>          if (!constraint.permits(key)) {
>              if (debug != null) {
>                  debug.println("Constraints: failed key size" +
>                          "constraint check " + KeyUtil.getKeySize(key));
>              }
>              return false;
>          }
>      }
>      return true;
> }
> 
> should getConstraints() be called on both the algorithm name and the group name?
> 
> Thanks,
> Max
> 
> 
> 
>> On Nov 20, 2019, at 3:44 AM, Anthony Scarpino <anthony.scarpino at oracle.com> wrote:
>>
>> I need a review of a disabled algorithms code change that allows EC curve names to be disabled for all the disabledAlgorithm properties.
>>
>> https://cr.openjdk.java.net/~ascarpino/8233228/webrev/
>>
>> Tony
> 
f


More information about the security-dev mailing list