I put "SHA-1" in a DisabledAlgorithmConstraints, it rejects SHA1 but allows sha1.
The reason is that http://hg.openjdk.java.net/jdk/jdk/file/6b54e8cd9b3d/jdk/src/java.base/share/classes/sun/security/util/AlgorithmDecomposer.java#l96 does not see "sha1". On the other hand, it rejects both "SHA-1" and "sha-1", because it's a direct case-insenstive match. Also, it allows both "SHA" and "sha" because there is no special code for it. Isn't "SHA" also an alias of "SHA-1"? Do you think all these names should be recognized? Shall we clarify it in the spec? Thanks Max