RFR: 8273670: Remove weak etypes from default krb5 etype list
Valerie Peng
valeriep at openjdk.java.net
Fri Sep 24 21:58:58 UTC 2021
On Thu, 23 Sep 2021 14:32:01 GMT, Weijun Wang <weijun at openjdk.org> wrote:
> This code change removes weak etypes from the default list so it's safer to enable one of them. See the corresponding CSR at https://bugs.openjdk.java.net/browse/JDK-8274207 for more explanation. BTW, please review the CSR as well.
src/java.security.jgss/share/classes/sun/security/krb5/internal/crypto/EType.java line 85:
> 83:
> 84: // By default, only AES etypes are enabled
> 85: defaultETypes = Arrays.copyOf(result, num);
nit: why not just do:
` defaultETypes = (maxKeyLength >= 256?
new int[] {
EncryptedData.ETYPE_AES256_CTS_HMAC_SHA1_96,
EncryptedData.ETYPE_AES128_CTS_HMAC_SHA1_96,
EncryptedData.ETYPE_AES256_CTS_HMAC_SHA384_192,
EncryptedData.ETYPE_AES128_CTS_HMAC_SHA256_128,
} : new int[] {
EncryptedData.ETYPE_AES128_CTS_HMAC_SHA1_96,
EncryptedData.ETYPE_AES128_CTS_HMAC_SHA256_128,
});
`
-------------
PR: https://git.openjdk.java.net/jdk/pull/5654
More information about the security-dev
mailing list