RFR: 8244336: Restrict algorithms at JCE layer [v2]
Valerie Peng
valeriep at openjdk.org
Thu Jul 31 01:24:02 UTC 2025
On Wed, 30 Jul 2025 13:51:41 GMT, Sean Mullan <mullan at openjdk.org> wrote:
>> No need to probe if the particular keystore is disabled seems more efficient? Anyhow, I made the suggested change as it has the merits of finding out the result of the probe through debugging.
>
> Well there is a compatibility mode (enabled by default) which allows PKCS12 keystores to be read as JKS, and vice-versa, so I think it is better to probe the file to see precisely what format it is in. See the [keystore.type.compat](https://github.com/openjdk/jdk/blob/a2e86ff3c56209a14c6e9730781eecd12c81d170/src/java.base/share/conf/security/java.security#L304) security property for details.
Hmm, interesting. I see.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/26377#discussion_r2244148365
More information about the security-dev
mailing list