RFR: 8244336: Restrict algorithms at JCE layer [v4]
Artur Barashev
abarashev at openjdk.org
Fri Aug 8 12:13:22 UTC 2025
On Fri, 8 Aug 2025 01:34:52 GMT, Valerie Peng <valeriep at openjdk.org> wrote:
>> But I think simply omitting a service name is a better solution because in such case we can check the algorithm against the whole `jdk.crypto.disabledAlgorithms` property in one call without specifying the service name:
>> `CryptoAlgorithmConstraints.permits(algo)`
>
> Well, with the current list of 4 supported services, they don't generally share the algorithm names. Thus, I don't see a lot of sense of doing this. Personally, I'd view omitting of service as an oversight. Not sure how commonly used it is. If there is no strong need for supporting wildcard, then I'd not do it at least for this iteration. This is my personal preference. If there are strong reasons and usage scenarios driving wildcard support, then I am open for it.
I see, makes sense.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/26377#discussion_r2262799299
More information about the security-dev
mailing list