RFR: 8322971: KEM.getInstance() should check if a 3rd-party security provider is signed
Sean Mullan
mullan at openjdk.org
Mon Jan 8 21:36:24 UTC 2024
On Mon, 8 Jan 2024 20:54:34 GMT, Weijun Wang <weijun at openjdk.org> wrote:
>> test/jdk/javax/crypto/KEM/RSA_KEM.java line 128:
>>
>>> 126: // To bypass the JCE security provider signature check
>>> 127: private static KEM getKemImpl(Provider p) throws Exception {
>>> 128: var ctor = KEM.class.getDeclaredConstructor(
>>
>> How about creating it this way only if `java.runtime.name` system property does not contain "OpenJDK"?
>
> I am not sure if other OpenJDK vendors always include the "OpenJDK" name. Or, can call `getInstance()` and then fallback to this way if there is an exception?
True, although in that case the worse that would happen is that they use reflection instead of calling `KEM.getInstance`. Actually I am ok with this code now - as long as we have other tests that test `KEM.getInstance`.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/17253#discussion_r1445365329
More information about the security-dev
mailing list