RFR: 8244336: Restrict algorithms at JCE layer [v9]

Valerie Peng valeriep at openjdk.org
Thu Aug 21 22:04:00 UTC 2025


On Thu, 21 Aug 2025 13:23:12 GMT, Artur Barashev <abarashev at openjdk.org> wrote:

>> src/java.base/share/classes/sun/security/util/CryptoAlgorithmConstraints.java line 77:
>> 
>>> 75:      * Initialize algorithm constraints with the specified security property
>>> 76:      * {@code propertyName}. Note that if a system property of the same name
>>> 77:      * is set, it overrides the security property.
>> 
>> We allow a system property to override `jdk.crypto.disabledAlgorithms` security property but not other `*.disabledAlgorithms` security properties. That's an inconsistent experience. Any particular reason we need this functionality for `jdk.crypto.disabledAlgorithms`? Are we going to document it in JSSE guide?
>
> Explanation provided out of band.

Yes, the system property override support is on case-by-case basis depending on need.

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/26377#discussion_r2292224768


More information about the security-dev mailing list