On Thu, 10 Mar 2022 14:21:41 GMT, Weijun Wang <[email protected]> wrote:
>> Michael McMahon has updated the pull request incrementally with two
>> additional commits since the last revision:
>>
>> - update
>> - update after first review round
>
> src/java.base/share/conf/security/java.security line 711:
>
>> 709: # separated list of algorithms to be allowed.
>> 710: #
>> 711: jdk.httpdigest.defaultDisabledAlgorithms = MD5, MD-5, SHA1, SHA-1
>
> I haven't seen people using "MD-5". It's also not an alias of "MD5" in our
> own security providers. On the other hand, we support both "SHA1" and "SHA"
> (and its OID) as aliases of "SHA-1". So, either we list all these aliases
> here, or we only put the standard names here and "canonicalize" the name when
> we see one. `sun.security.util.KnownOIDs.findMatch("SHA-1").stdName()` can be
> used.
The aliases are a PITA. It's a shame there isn't support in the public API to
canonicalize the names. But, what I will do is canonicalize the incoming
strings from the HTTP server and then we only have to list canonical names in
the properties.
-------------
PR: https://git.openjdk.java.net/jdk/pull/7688
