RFR: 8244336: Restrict algorithms at JCE layer [v9]

Sean Mullan mullan at openjdk.org
Wed Sep 3 21:15:48 UTC 2025


On Wed, 3 Sep 2025 20:40:04 GMT, Valerie Peng <valeriep at openjdk.org> wrote:

>> src/java.base/share/conf/security/java.security line 810:
>> 
>>> 808: # Note: The restriction is applied in the various getInstance(...) methods
>>> 809: # of the supported Service classes, i.e. Cipher, KeyStore, MessageDigest,
>>> 810: # and Signature.
>> 
>> I think it would be useful to add an additional sentence: "A NoSuchAlgorithmException will be thrown if the algorithm is disabled."
>
> Well, it's not necessarily NSAE, e.g. `java.security.KeyStore` class throws `KeyStoreException`. Maybe just state "An exception will be thrown if the algorithm is disabled"?

Ah, right. I think I would prefer if we state the actual exception thrown, even if it's a bit longer. So how about: "If the algorithm is disabled, a NoSuchAlgorithmException will be thrown by the getInstance methods of Cipher, MessageDigest, and Signature and a KeyStoreException by the getInstance methods of KeyStore."

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/26377#discussion_r2320231005


More information about the security-dev mailing list