RFR: 8244336: Restrict algorithms at JCE layer [v4]
Artur Barashev
abarashev at openjdk.org
Wed Aug 6 15:37:05 UTC 2025
On Wed, 6 Aug 2025 15:10:44 GMT, Artur Barashev <abarashev at openjdk.org> wrote:
>> Missing service should be treated as error. If we want to match all services, it is better represented as "*". This may be considered for future enhancement if there is a demand.
>
> I thought about an option of using `*` wildcard too. We can do it in this iteration simply by replacing `*.algorithm` with `Cipher.algorithm`, `KeyStore.algorithm`, `MessageDiges.algorithmt`, `Signature.algorithm`.
But I think simply omitting a service name is a better solution because in such case we can check the algorithm against the whole `jdk.crypto.disabledAlgorithms` property in one call without specifying the service name:
`CryptoAlgorithmConstraints.permits(algo)`
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/26377#discussion_r2257577015
More information about the security-dev
mailing list