RFR: 8244336: Restrict algorithms at JCE layer [v4]
Valerie Peng
valeriep at openjdk.org
Fri Aug 8 01:37:14 UTC 2025
On Wed, 6 Aug 2025 15:34:11 GMT, Artur Barashev <abarashev at openjdk.org> wrote:
>> I thought about an option of using `*` wildcard too. We can do it in this iteration simply by replacing `*.algorithm` with `Cipher.algorithm`, `KeyStore.algorithm`, `MessageDiges.algorithmt`, `Signature.algorithm`.
>
> But I think simply omitting a service name is a better solution because in such case we can check the algorithm against the whole `jdk.crypto.disabledAlgorithms` property in one call without specifying the service name:
> `CryptoAlgorithmConstraints.permits(algo)`
Well, with the current list of 4 supported services, they don't generally share the algorithm names. Thus, I don't see a lot of sense of doing this. Personally, I'd view omitting of service as an oversight. Not sure how commonly used it is. If there is no strong need for supporting wildcard, then I'd not do it at least for this iteration. This is my personal preference. If there are strong reasons and usage scenarios driving wildcard support, then I am open for it.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/26377#discussion_r2261752951
More information about the security-dev
mailing list