RFR: 8244336: Restrict algorithms at JCE layer [v8]
Valerie Peng
valeriep at openjdk.org
Thu Aug 21 22:04:00 UTC 2025
On Sat, 16 Aug 2025 00:04:38 GMT, Artur Barashev <abarashev at openjdk.org> wrote:
>> Hmm, I looked at that test as well as the changes that it corresponds to. Given that this PR involves public JCA classes, e.g. the 4 services, having tests for those services and their `getInstance(...)` methods makes more sense as we need to ensure that the javadoc `@implNote` matches the actual behavior. Testing the `permit` call makes a lot sense for checking invalid values though. So, I will explore re-writing the `test/jdk/java/security/Security/SecurityPropFile/InvalidCryptoDisabledAlgos.java` to directly using the `CryptoAlgorithmConstraints.permit` method.
>
> Yes, having tests for those services and their `getInstance(...)` methods makes sense of course, I'm not asking to change those tests. If you re-write `InvalidCryptoDisabledAlgos.java` to directly use the `CryptoAlgorithmConstraints.permit` method, then you can as well move it under `test/jdk/sun/security/util/AlgorithmConstraints` directory. I think it would be a better location for such test than `test/jdk/java/security/Security/SecurityPropFile`.
Yes, that's what I did after your comment. Initially was thinking about putting this test under the test directory for java.security file. I agree that directly use the CryptoAlgorithmConstraints.permit method makes sense.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/26377#discussion_r2292227536
More information about the security-dev
mailing list