On Fri, 25 Jul 2025 00:42:56 GMT, Anthony Scarpino <ascarp...@openjdk.org> wrote:
>> This enhancement introduces a new security property >> "jdk.crypto.disabledAlgorithms" which can be leveraged to disable algorithms >> for JCE/JCA crypto services. For now, only Cipher, KeyStore, MessageDigest, >> and Signature services support this new security property. The support can >> be expanded later to cover more services if needed. Note that this security >> property is meant to disable algorithms irrespective of providers. If the >> algorithm is found to be disabled, it will be rejected before reaching out >> to provider(s) for the corresponding implementation(s). >> >> A few implementation notes: >> 1) The specified security property value is lazily loaded and all changes >> after it's been loaded are ignored. Invalid entries, e.g. wrong syntax, are >> ignored and removed. The algorithm name check is case-insensitive. If a >> disabled algorithm is known to has an object identifier (oid) by JDK, this >> oid and its aliases is also added to the disabled services. >> 2) The algorithm name checking impl is based on the >> sun.security.util.AlgorithmConstraints class, but without the decomposing >> and different constraints. >> 3) The hardwiring of NONEwithRSA signature to RSA/ECB/PKCS1Padding cipher in >> java.security.Signature class is removed. Instead, this is moved to the >> provider level, i.e. SunJCE and SunPKCS11 provider are changed to claim the >> NONEwithRSA signature support. Disabling one will not affect the other. >> >> CSR will be filed once the review is wrapping up. >> >> Thanks~ >> Valerie > > src/java.base/share/classes/com/sun/crypto/provider/RSACipherAdaptor.java > line 37: > >> 35: import java.security.InvalidAlgorithmParameterException; >> 36: import java.security.InvalidParameterException; >> 37: import java.security.ProviderException; > > not used Yes, will remove. > src/java.base/share/classes/com/sun/crypto/provider/RSACipherAdaptor.java > line 43: > >> 41: import javax.crypto.BadPaddingException; >> 42: import javax.crypto.IllegalBlockSizeException; >> 43: import javax.crypto.NoSuchPaddingException; > > not used Yes, will remove. > src/java.base/share/classes/sun/security/util/CryptoAlgorithmConstraints.java > line 36: > >> 34: import java.util.Set; >> 35: import java.util.concurrent.ConcurrentHashMap; >> 36: import sun.security.util.KnownOIDs; > > This import isn't needed since `KnownOIDs` in the same package. True, will remove. ------------- PR Review Comment: https://git.openjdk.org/jdk/pull/26377#discussion_r2241204330 PR Review Comment: https://git.openjdk.org/jdk/pull/26377#discussion_r2241206569 PR Review Comment: https://git.openjdk.org/jdk/pull/26377#discussion_r2241202560
