[14] RFR: 8233228: Support named curves for all disabledAlgorithms

Weijun Wang weijun.wang at oracle.com
Mon Dec 2 05:16:51 UTC 2019



> On Dec 2, 2019, at 11:32 AM, Anthony Scarpino <anthony.scarpino at oracle.com> wrote:
> 
> On 11/27/19 5:26 PM, Weijun Wang wrote:
>> In ConstraintsParameters.java:
>> You added curveStr assignment in the ConstraintsParameters(X509Certificate,...). Is it also necessary to do the same in the next constructor ConstraintsParameters(...,Key,...)? You can get curve name from the key.
> 
> I do not believe it is necessary because the algorithm, such as EC or AES, checks the key length .

But a key can be disabled both with its length and group name.

> Also named curves do not have variable key lengths that I know of

Yes, that's right.

--Max

> 
> Tony
> 
>> Also, now that a key has a parameter that needs to checked, in the following public method in DisabledAlgorithmConstraints.java
>> public boolean permits(Key key) {
>>     List<Constraint> list = getConstraints(key.getAlgorithm());
>>     if (list == null) {
>>         return true;
>>     }
>>     for (Constraint constraint : list) {
>>         if (!constraint.permits(key)) {
>>             if (debug != null) {
>>                 debug.println("Constraints: failed key size" +
>>                         "constraint check " + KeyUtil.getKeySize(key));
>>             }
>>             return false;
>>         }
>>     }
>>     return true;
>> }
>> should getConstraints() be called on both the algorithm name and the group name?
>> Thanks,
>> Max
>>> On Nov 20, 2019, at 3:44 AM, Anthony Scarpino <anthony.scarpino at oracle.com> wrote:
>>> 
>>> I need a review of a disabled algorithms code change that allows EC curve names to be disabled for all the disabledAlgorithm properties.
>>> 
>>> https://cr.openjdk.java.net/~ascarpino/8233228/webrev/
>>> 
>>> Tony
> f



More information about the security-dev mailing list