RFR: 8244336: Restrict algorithms at JCE layer [v2]

Sean Mullan mullan at openjdk.org
Wed Jul 30 13:54:58 UTC 2025 

On Wed, 30 Jul 2025 07:04:41 GMT, Valerie Peng <valeriep at openjdk.org> wrote:

>> src/java.base/share/classes/java/security/KeyStore.java line 1846:
>> 
>>> 1844:             for (Provider p : Security.getProviders()) {
>>> 1845:                 for (Provider.Service s : p.getServices()) {
>>> 1846:                     if (s.getType().equals("KeyStore") &&
>> 
>> I think the check should only be done if the code determines after probing the keystore that it is of the disabled type, so move this check down, probably just before line 1856.
>
> No need to probe if the particular keystore is disabled seems more efficient? Anyhow, I made the suggested change as it has the merits of finding out the result of the probe through debugging.

Well there is a compatibility mode (enabled by default) which allows PKCS12 keystores to be read as JKS, and vice-versa, so I think it is better to probe the file to see precisely what format it is in. See the [keystore.type.compat](https://github.com/openjdk/jdk/blob/a2e86ff3c56209a14c6e9730781eecd12c81d170/src/java.base/share/conf/security/java.security#L304) security property for details.

>> src/java.base/share/classes/javax/crypto/Cipher.java line 526:
>> 
>>> 524:      * on the transformation defaults used by JDK providers.
>>> 525:      * </li>
>>> 526:      * <li>the {@code jdk.crypto.disabledAlgorithms}
>> 
>> Missing "The JDK Reference Implementation additionally uses".
>
> This is one of the list items. "The JDK Reference Implementation additionally uses" applies to the entire list which includes both security properties.

Ok. I might suggest rewording the first sentence as: "The JDK Reference Implementation additionally uses the following security properties:" and then the list would be:

`<li>{@code jdk.security.provider.preferred}: determines the preferred provider order for the specified algorithm. ...`

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/26377#discussion_r2242761676
PR Review Comment: https://git.openjdk.org/jdk/pull/26377#discussion_r2242744714

More information about the security-dev mailing list