> On Mar 13, 2018, at 4:19 AM, Sean Mullan <sean.mul...@oracle.com> wrote: > > On 3/12/18 12:07 PM, Bernd Eckenfels wrote: >> I always thought the logic is ‚case insensitive substring of canonical >> name‘, so it also works with things like ‚DHE‘ in ciphers. In that case >> ‚SHA‘ would match SHA-1 as well as SHA-xxx.
Really? my understanding is that SHA is an alias of SHA-1 and I never thought it covers SHA-256 etc., at least not in this case. --Max > Right, I was more making the point that you shouldn't expect aliases to match > their corresponding names. For example, if you block on the alias "Rijndael", > you should not assume it will block "AES". > > --Sean > >> Gruss >> Bernd >> -- >> http://bernd.eckenfels.net >> ------------------------------------------------------------------------ >> *From:* security-dev <security-dev-boun...@openjdk.java.net> on behalf of >> Sean Mullan <sean.mul...@oracle.com> >> *Sent:* Monday, March 12, 2018 3:41:36 PM >> *To:* Weijun Wang; security-dev@openjdk.java.net >> *Subject:* Re: Algorithm aliases of SHA-1 in DisabledAlgorithmConstraints >> On 3/12/18 4:39 AM, Weijun Wang wrote: >>> I put "SHA-1" in a DisabledAlgorithmConstraints, it rejects SHA1 but allows >>> sha1. >> That sounds like a bug. >>> The reason is that >>> http://hg.openjdk.java.net/jdk/jdk/file/6b54e8cd9b3d/jdk/src/java.base/share/classes/sun/security/util/AlgorithmDecomposer.java#l96 >>> >> does not see "sha1". >>> On the other hand, it rejects both "SHA-1" and "sha-1", because it's a >>> direct case-insenstive match. >>> Also, it allows both "SHA" and "sha" because there is no special code for >>> it. Isn't "SHA" also an alias of "SHA-1"? >>> Do you think all these names should be recognized? Shall we clarify it in >>> the spec? >> I would tend to think that we should only specify (or guarantee) that >> standard names are checked and used in the disabled algorithm >> properties. Aliases have never been a supported/standard feature, so I >> think if we start to accommodate them, then we have to document that and >> it increases the complexity of the code and chance that we might miss >> one. For example, SHA is an alias for SHA-1 in the JDK Sun provider but >> there is no corresponding alias for SHAwithRSA in the SunRsaSign >> provider, so it is inconsistent already. >> --Sean
