On Mon, 29 Jul 2024 15:57:29 GMT, Anthony Scarpino <ascarp...@openjdk.org>
wrote:
>> src/java.base/share/classes/java/security/spec/EncodedKeySpec.java line 71:
>>
>>> 69: this.encodedKey = encodedKey.clone();
>>> 70: try {
>>> 71: algorithmName =
>>> KeyUtil.getAlgorithm(this.encodedKey).getName();
>>
>> What if `algorithmName` is assigned an OID in raw string? I see that
>> `EncodedKeySpec::getAlgorithm` has not specified whether the return value is
>> a standard algorithm name but usually we only return standard names.
>
> I hadn't thought about an OID string value. The alternative to not using
> returning an OID is null. I don't see a problem returning an OID, as we have
> seen in other areas where `Key.getAlgorithm()` returns a non-crypto algorithm
> name. I understand what you are saying that we typically return a standard
> name, and that will still be true in a vast majority of the encodings. But
> I think returning the OID is a better choice in this corner case than
> returning null.
The current spec says "or null if not specified", so it's actually OK if one is
not specified -- if I understand correctly -- through the constructor that take
an algorithm argument. You might actually need to update the spec with your
code change.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/17543#discussion_r1695495099
