On Fri, 21 Feb 2025 20:35:34 GMT, Weijun Wang <wei...@openjdk.org> wrote:
>> Hi,
>>
>> I need a review for the following change. Naming conventions for EdDSA and
>> XDH have inconsistencies between DisabledAlgorithms and KeyPairGenerator.
>> These internal changes help make it more consistent when parsing the actual
>> curve being used vs the broader algorithm name.
>>
>> thanks
>>
>> Tony
>
> test/jdk/sun/security/util/AlgorithmConstraints/DisabledAlgorithmPermits.java
> line 61:
>
>> 59: case "Ed25519" ->
>> 60: Arrays.asList(
>> 61: new TestCase("EdDSA", false),
>
> As Sean mentioned in another comment, disabling "Ed25519" does not imply all
> EdDSA keys are not permitted. This means the result of `permits(primitives,
> algorithmName, parameters)` cannot be determined. That said, I noticed you've
> used `KeyUtil::getAlgorithm` in a lot of places. Can we guarantee that this
> `permits` method is never called on a family algorithm name? If so, we can
> get a definitive result.
I believe my comment to Sean answers this question, but I'm not sure I
understand the last question in your comment. "never called on a family
algorithm name". The change is to make sure these two families return the
curve name and not the family name (EdDSA & XDH). But on the other side,
someone using the family name of the disabled algorithm list would disable all
curves.
The above test code is checking that this call `
permits(Set.of(CryptoPrimitive.SIGNATURE), "EdDSA", null)` will fail for a
Ed25519 key because of the precedent set by KPG.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/23647#discussion_r1966189174
