RFR: 8244336: Restrict algorithms at JCE layer [v2]
Artur Barashev
abarashev at openjdk.org
Mon Aug 11 15:05:21 UTC 2025
On Thu, 31 Jul 2025 07:06:04 GMT, Valerie Peng <valeriep at openjdk.org> wrote:
>> src/java.base/share/classes/sun/security/util/CryptoAlgorithmConstraints.java line 83:
>>
>>> 81: }
>>> 82: String service = dk.substring(0, idx);
>>> 83: String algo = dk.substring(idx + 1);
>>
>> You should check for invalid syntax such as ".algo" or "service."
>
> Definitely, thanks for the good catch~
This would throw `IndexOutOfBoundsException` on `.`
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/26377#discussion_r2267063161
More information about the security-dev
mailing list