RFR: 8244336: Restrict algorithms at JCE layer [v8]
Artur Barashev
abarashev at openjdk.org
Sat Aug 16 00:07:16 UTC 2025
On Fri, 15 Aug 2025 22:50:31 GMT, Valerie Peng <valeriep at openjdk.org> wrote:
>> test/jdk/java/security/Security/SecurityPropFile/InvalidCryptoDisabledAlgos.java line 1:
>>
>>> 1: /*
>>
>> It would be nice to also have a dedicated test class under `sun/security/utils` that tests everything directly, including invalid values for the `permit` call. See `DisabledAlgorithmPermits` class for example.
>
> Hmm, I looked at that test as well as the changes that it corresponds to. Given that this PR involves public JCA classes, e.g. the 4 services, having tests for those services and their `getInstance(...)` methods makes more sense as we need to ensure that the javadoc `@implNote` matches the actual behavior. Testing the `permit` call makes a lot sense for checking invalid values though. So, I will explore re-writing the `test/jdk/java/security/Security/SecurityPropFile/InvalidCryptoDisabledAlgos.java` to directly using the `CryptoAlgorithmConstraints.permit` method.
Yes, having tests for those services and their `getInstance(...)` methods makes sense of course, I'm not asking to change those tests. If you re-write `InvalidCryptoDisabledAlgos.java` to directly use the `CryptoAlgorithmConstraints.permit` method, then you can as well move it under `test/jdk/sun/security/util/AlgorithmConstraints` directory. I think it would be a better location for such test than `test/jdk/java/security/Security/SecurityPropFile`.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/26377#discussion_r2280045286
More information about the security-dev
mailing list