RFR: 8268427: Improve AlgorithmConstraints:checkAlgorithm performance
Dongbo He
dongbohe at openjdk.java.net
Fri Jun 11 08:00:51 UTC 2021
On Fri, 11 Jun 2021 04:21:15 GMT, Xue-Lei Andrew Fan <xuelei at openjdk.org> wrote:
>> The collection required when new Constraints() should retain the default case of the elements, because some code will depend on this, for example, .
>> [entry.startsWith("keySize")](https://github.com/openjdk/jdk/blob/dd1cbadc82bcecf718b96c833a5845fde79db061/src/java.base/share/classes/sun/security/util/DisabledAlgorithmConstraints.java#L383).
>> But the set required by the permits should unify the case of the elements, because algorithm may be uppercase or lowercase, but the Set:contains() cannot handle this situation.
>> So we need to create a new Set that ignores the default case of elements.
>
> For the entry.startsWith("keySize") example, I don't think keySize is an algorithm that could be listed individually in the list. The "keySize" may be just a part one algorithm, for example "RSA keySize < 1024".
>
> It's a good point about the lowercase and upper case. Did you check how constraints like the "keySize" are expressed in the list or set?
Yes, you're right. The "keySize" is not an independent algorithm listed in list, it exists in a form like "ec keysize <224".
In the case of "keySize", the object in the list stored in `algorithmConstraints` is `KeySizeConstraint`, then keysize will be checked in [algorithmConstraints.permits(algorithm, parameters)](https://github.com/openjdk/jdk/blob/dd1cbadc82bcecf718b96c833a5845fde79db061/src/java.base/share/classes/sun/security/util/DisabledAlgorithmConstraints.java#L169) by `KeySizeConstraint:permits`.
-------------
PR: https://git.openjdk.java.net/jdk/pull/4424
More information about the security-dev
mailing list