Re: Algorithm aliases of SHA-1 in DisabledAlgorithmConstraints

2018-03-15 Thread Sean Mullan
On 3/13/18 1:06 AM, Weijun Wang wrote: On Mar 12, 2018, at 10:41 PM, Sean Mullan wrote: I would tend to think that we should only specify (or guarantee) that standard names are checked and used in the disabled algorithm properties. But this means first we must only set standard names in t

Re: Algorithm aliases of SHA-1 in DisabledAlgorithmConstraints

2018-03-13 Thread Weijun Wang
> On Mar 13, 2018, at 11:54 PM, Xuelei Fan wrote: > > On 3/13/2018 1:06 AM, Weijun Wang wrote: >>> On Mar 12, 2018, at 10:41 PM, Sean Mullan wrote: >>> >>> I would tend to think that we should only specify (or guarantee) that >>> standard names are checked and used in the disabled algorithm

Re: Algorithm aliases of SHA-1 in DisabledAlgorithmConstraints

2018-03-13 Thread Xuelei Fan
On 3/13/2018 1:06 AM, Weijun Wang wrote: On Mar 12, 2018, at 10:41 PM, Sean Mullan wrote: I would tend to think that we should only specify (or guarantee) that standard names are checked and used in the disabled algorithm properties. But this means first we must only set standard names in

Re: Algorithm aliases of SHA-1 in DisabledAlgorithmConstraints

2018-03-13 Thread Weijun Wang
> On Mar 12, 2018, at 10:41 PM, Sean Mullan wrote: > > I would tend to think that we should only specify (or guarantee) that > standard names are checked and used in the disabled algorithm properties. But this means first we must only set standard names in the properties. What if someone set

Re: Algorithm aliases of SHA-1 in DisabledAlgorithmConstraints

2018-03-12 Thread Weijun Wang
t; *From:* security-dev on behalf of >> Sean Mullan >> *Sent:* Monday, March 12, 2018 3:41:36 PM >> *To:* Weijun Wang; security-dev@openjdk.java.net >> *Subject:* Re: Algorithm aliases of SHA-1 in DisabledAlgorithmConstraints >> On 3/12/18 4:39 AM, Weijun Wang wrote:

Re: Algorithm aliases of SHA-1 in DisabledAlgorithmConstraints

2018-03-12 Thread Sean Mullan
curity-dev on behalf of Sean Mullan *Sent:* Monday, March 12, 2018 3:41:36 PM *To:* Weijun Wang; security-dev@openjdk.java.net *Subject:* Re: Algorithm aliases of SHA-1 in DisabledAlgorithmConstraints On 3/12/18 4:39 AM, Weijun Wang wrote: I put "SHA-1" in a DisabledAlgorithmConstraint

Re: Algorithm aliases of SHA-1 in DisabledAlgorithmConstraints

2018-03-12 Thread Bernd Eckenfels
Sean Mullan Sent: Monday, March 12, 2018 3:41:36 PM To: Weijun Wang; security-dev@openjdk.java.net Subject: Re: Algorithm aliases of SHA-1 in DisabledAlgorithmConstraints On 3/12/18 4:39 AM, Weijun Wang wrote: > I put "SHA-1" in a DisabledAlgorithmConstraints, it rejects SHA1 but a

Re: Algorithm aliases of SHA-1 in DisabledAlgorithmConstraints

2018-03-12 Thread Sean Mullan
On 3/12/18 4:39 AM, Weijun Wang wrote: I put "SHA-1" in a DisabledAlgorithmConstraints, it rejects SHA1 but allows sha1. That sounds like a bug. The reason is that http://hg.openjdk.java.net/jdk/jdk/file/6b54e8cd9b3d/jdk/src/java.base/share/classes/sun/security/util/AlgorithmDecomposer.jav

Algorithm aliases of SHA-1 in DisabledAlgorithmConstraints

2018-03-12 Thread Weijun Wang
I put "SHA-1" in a DisabledAlgorithmConstraints, it rejects SHA1 but allows sha1. The reason is that http://hg.openjdk.java.net/jdk/jdk/file/6b54e8cd9b3d/jdk/src/java.base/share/classes/sun/security/util/AlgorithmDecomposer.java#l96 does not see "sha1". On the other hand, it rejects both "SHA-