RFR: 8346129: Simplify EdDSA & XDH curve name usage

[Weijun Wang]

On Fri, 21 Feb 2025 21:21:24 GMT, Anthony Scarpino <ascarpino at openjdk.org> wrote:

>> test/jdk/sun/security/util/AlgorithmConstraints/DisabledAlgorithmPermits.java line 61:
>> 
>>> 59:             case "Ed25519" ->
>>> 60:                 Arrays.asList(
>>> 61:                     new TestCase("EdDSA", false),
>> 
>> As Sean mentioned in another comment, disabling "Ed25519" does not imply all EdDSA keys are not permitted. This means the result of `permits(primitives, algorithmName, parameters)` cannot be determined. That said, I noticed you've used `KeyUtil::getAlgorithm` in a lot of places. Can we guarantee that this `permits` method is never called on a family algorithm name? If so, we can get a definitive result.
>
> I believe my comment to Sean answers this question, but I'm not sure I understand the last question in your comment.  "never called on a family algorithm name".  The change is to make sure these two families return the curve name and not the family name (EdDSA & XDH).  But on the other side, someone using the family name of the disabled algorithm list would disable all curves.
> The above test code is checking that this call ` permits(Set.of(CryptoPrimitive.SIGNATURE), "EdDSA", null)` will fail for a Ed25519 key because of the precedent set by KPG.

We are talking about the same in multiple comments now.

In this case, if both `permits(SIGNATURE, "EdDSA", null)` and `permits(SIGNATURE, key)` are called, it's safe to bypass the 1st check as long as the 2nd one blocks the key. So it's not necessary to cover "EdDSA" when only "Ed25519" is disabled.

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/23647#discussion_r1966263224