RFR: 8346129: Simplify EdDSA & XDH curve name usage [v4]
Weijun Wang
weijun at openjdk.org
Fri Mar 14 19:46:57 UTC 2025
On Fri, 7 Mar 2025 22:03:56 GMT, Anthony Scarpino <ascarpino at openjdk.org> wrote:
>> test/jdk/sun/security/util/AlgorithmConstraints/DisabledAlgorithmPermits.java line 86:
>>
>>> 84: Arrays.asList(
>>> 85: new TestCase("EdDSA", false),
>>> 86: new TestCase("Ed25519", true),
>>
>> Why should the above pass? If you disable `EdDSA` and you are still allowed `Signature.getInstance("Ed25519")`? If this is because it will reject whatever EdDSA key later? Why both check `CryptoPrimitive.SIGNATURE` at all?
>
> I'm confused by this comment. With removing the hardcoded aliases in AbstractAlgorithmConstraints, which is what I thought you had suggested, EdDSA and Ed25519 are now separate as the check is effectively a string compare check against the disabledAlgorithm list
>
> The second half of that case statement has a key that can check against both EdDSA and the NPS.
>
> With respect to `CryptoPrimitive.SIGNATURE`, it just a value used in the test, it can't be null.
Yes, I remember that.
I understand there will be multiple checks in TLS and CertPath. Do we have existing tests on that level?
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/23647#discussion_r1996180604
More information about the security-dev
mailing list