RFR: 8244336: Restrict algorithms at JCE layer [v4]
Valerie Peng
valeriep at openjdk.org
Wed Aug 6 03:12:06 UTC 2025
On Fri, 1 Aug 2025 13:04:14 GMT, Sean Mullan <mullan at openjdk.org> wrote:
>> Valerie Peng has updated the pull request incrementally with one additional commit since the last revision:
>>
>> Added support for overriding the security property with a system
>> property using the same property name.
>
> src/java.base/share/classes/sun/security/util/CryptoAlgorithmConstraints.java line 80:
>
>> 78: if (val != null) {
>> 79: Security.setProperty(propertyName, val);
>> 80: }
>
> I don't think you should set the security property with the value of the system property. This should be:
>
>
> if (val == null) {
> val = Security.getProperty(propertyName);
> }
>
>
> Or you can just call `sun.security.util.SecurityProperties.getOverridableProperty()`.
The property value retrieval is inside the parent class. Yes, it's a little like a hack. Let me modify the parent class to achieve this more gracefully then.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/26377#discussion_r2255755998
More information about the security-dev
mailing list