RFR: 8346129: Simplify EdDSA & XDH curve name usage

Fri Feb 21 21:23:52 UTC 2025

On Fri, 21 Feb 2025 20:35:34 GMT, Weijun Wang <weijun at openjdk.org> wrote:

>> Hi,
>> 
>> I need a review for the following change. Naming conventions for EdDSA and XDH have inconsistencies between DisabledAlgorithms and KeyPairGenerator. These internal changes help make it more consistent when parsing the actual curve being used vs the broader algorithm name.
>> 
>> thanks
>> 
>> Tony
>
> test/jdk/sun/security/util/AlgorithmConstraints/DisabledAlgorithmPermits.java line 61:
> 
>> 59:             case "Ed25519" ->
>> 60:                 Arrays.asList(
>> 61:                     new TestCase("EdDSA", false),
> 
> As Sean mentioned in another comment, disabling "Ed25519" does not imply all EdDSA keys are not permitted. This means the result of `permits(primitives, algorithmName, parameters)` cannot be determined. That said, I noticed you've used `KeyUtil::getAlgorithm` in a lot of places. Can we guarantee that this `permits` method is never called on a family algorithm name? If so, we can get a definitive result.

I believe my comment to Sean answers this question, but I'm not sure I understand the last question in your comment.  "never called on a family algorithm name".  The change is to make sure these two families return the curve name and not the family name (EdDSA & XDH).  But on the other side, someone using the family name of the disabled algorithm list would disable all curves.
The above test code is checking that this call ` permits(Set.of(CryptoPrimitive.SIGNATURE), "EdDSA", null)` will fail for a Ed25519 key because of the precedent set by KPG.

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/23647#discussion_r1966189174