RFR: 8244336: Restrict algorithms at JCE layer [v4]
Artur Barashev
abarashev at openjdk.org
Wed Aug 6 15:13:07 UTC 2025
On Wed, 6 Aug 2025 04:50:50 GMT, Valerie Peng <valeriep at openjdk.org> wrote:
>> src/java.base/share/conf/security/java.security line 793:
>>
>>> 791: #
>>> 792: # Service: (one of the following, more service may be added later)
>>> 793: # Cipher | KeyStore | MessageDigest | Signature
>>
>> Should we consider matching all services if service name is missing (make service name optional)?
>
> Missing service should be treated as error. If we want to match all services, it is better represented as "*". This may be considered for future enhancement if there is a demand.
I thought about an option of using `*` wildcard too. We can do it in this iteration simply by replacing `*.algorithm` with `Cipher.algorithm`, `KeyStore.algorithm`, `MessageDiges.algorithmt`, `Signature.algorithm`.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/26377#discussion_r2257516193
More information about the security-dev
mailing list