RFR: 8244336: Restrict algorithms at JCE layer [v2]
Valerie Peng
valeriep at openjdk.org
Wed Aug 6 03:03:06 UTC 2025
On Thu, 31 Jul 2025 14:33:03 GMT, Sean Mullan <mullan at openjdk.org> wrote:
>> Well, I see your concern and it's valid. However, quite a few algorithms do not have OIDs as the java security standard names may not have an 1-to-1 mapping to OID, or no OID defined at all. For example, none of `Keystore` type has a corresponding OID. Also, in the case of `Cipher`, this is even more complicated, e.g. `AES` OIDs are keysize-specific and `PBES2` cipher has one OID but there are multiple algorithm names which includes additional components/algorithms info (`PBEWithHmacSHA1AndAES_128`, `PBEWithHmacSHA512/256AndAES_256`. Thus, we can't use whether there is an OID to check for user typos. In addition, there could be algorithms which JDK does not have an OID mapping as `KnownOIDs` usually doesn't cover algorithms that we don't support. If we want to be stricter, I can change to error out if invalid entry is detected instead of ignored. However, we can only validate against syntax and perhaps reject unsupported services if desired. But the algorithm part is really diffic
ult to validate.
>
> Ok, these are good points. So suggest we throw an IAE if the syntax is invalid (missing ".", etc) or the service name is not one of the supported ones.
Ok. will change.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/26377#discussion_r2255744826
More information about the security-dev
mailing list