On Fri, 21 Feb 2025 22:29:01 GMT, Anthony Scarpino <ascarp...@openjdk.org> wrote:
>> Do we call `permits` before instantiating a `KeyPairGenerator`? What if >> people call `kpg.initialize(NPS.Ed448)` after the instantiation? >> >> In reality, I think it depends on how many `permits` calls there are. Modern >> algorithms have the key same algorithm name and signature algorithm name. >> When a signature operation is carried out, do we check on both the signature >> algorithm and the key? It seems only checking on the key is enough. It's >> actually more precise, since you can get the exact parameter set name there. >> This is why I asked if the method is "never called on a family algorithm >> name". When checking a key, if we always call `permits` on the parameter set >> name, we get the precise result. > > `permits()` are used in situations for > jdk[tls|certpath|jar].disabledAlgorithms, and the SSLAlgorithmConstraints. > It's not called for APIs like KPG, Signature, etc. That's what I meant. Suppose in TLS when you verify a signature and you call `permits` on both the signature algorithm name and the key used to init the signature, it's OK if only one fails. ------------- PR Review Comment: https://git.openjdk.org/jdk/pull/23647#discussion_r1966282538
