RFR: 8273670: Remove weak etypes from default krb5 etype list
Weijun Wang
weijun at openjdk.java.net
Sat Sep 25 00:20:55 UTC 2021
On Fri, 24 Sep 2021 21:55:44 GMT, Valerie Peng <valeriep at openjdk.org> wrote:
>> This code change removes weak etypes from the default list so it's safer to enable one of them. See the corresponding CSR at https://bugs.openjdk.java.net/browse/JDK-8274207 for more explanation. BTW, please review the CSR as well.
>
> src/java.security.jgss/share/classes/sun/security/krb5/internal/crypto/EType.java line 85:
>
>> 83:
>> 84: // By default, only AES etypes are enabled
>> 85: defaultETypes = Arrays.copyOf(result, num);
>
> nit: why not just do:
> <pre> defaultETypes = (maxKeyLength >= 256?
> new int[] {
> EncryptedData.ETYPE_AES256_CTS_HMAC_SHA1_96,
> EncryptedData.ETYPE_AES128_CTS_HMAC_SHA1_96,
> EncryptedData.ETYPE_AES256_CTS_HMAC_SHA384_192,
> EncryptedData.ETYPE_AES128_CTS_HMAC_SHA256_128,
> } : new int[] {
> EncryptedData.ETYPE_AES128_CTS_HMAC_SHA1_96,
> EncryptedData.ETYPE_AES128_CTS_HMAC_SHA256_128,
> });
> </pre>
OK, I can code this way.
-------------
PR: https://git.openjdk.java.net/jdk/pull/5654
More information about the security-dev
mailing list