On Fri, 21 Feb 2025 21:21:24 GMT, Anthony Scarpino <ascarp...@openjdk.org>
wrote:
>> test/jdk/sun/security/util/AlgorithmConstraints/DisabledAlgorithmPermits.java
>> line 61:
>>
>>> 59: case "Ed25519" ->
>>> 60: Arrays.asList(
>>> 61: new TestCase("EdDSA", false),
>>
>> As Sean mentioned in another comment, disabling "Ed25519" does not imply all
>> EdDSA keys are not permitted. This means the result of `permits(primitives,
>> algorithmName, parameters)` cannot be determined. That said, I noticed
>> you've used `KeyUtil::getAlgorithm` in a lot of places. Can we guarantee
>> that this `permits` method is never called on a family algorithm name? If
>> so, we can get a definitive result.
>
> I believe my comment to Sean answers this question, but I'm not sure I
> understand the last question in your comment. "never called on a family
> algorithm name". The change is to make sure these two families return the
> curve name and not the family name (EdDSA & XDH). But on the other side,
> someone using the family name of the disabled algorithm list would disable
> all curves.
> The above test code is checking that this call `
> permits(Set.of(CryptoPrimitive.SIGNATURE), "EdDSA", null)` will fail for a
> Ed25519 key because of the precedent set by KPG.
We are talking about the same in multiple comments now.
In this case, if both `permits(SIGNATURE, "EdDSA", null)` and
`permits(SIGNATURE, key)` are called, it's safe to bypass the 1st check as long
as the 2nd one blocks the key. So it's not necessary to cover "EdDSA" when only
"Ed25519" is disabled.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/23647#discussion_r1966263224
