On Fri, 7 Mar 2025 22:03:56 GMT, Anthony Scarpino <ascarp...@openjdk.org> wrote:
>> test/jdk/sun/security/util/AlgorithmConstraints/DisabledAlgorithmPermits.java
>> line 86:
>>
>>> 84: Arrays.asList(
>>> 85: new TestCase("EdDSA", false),
>>> 86: new TestCase("Ed25519", true),
>>
>> Why should the above pass? If you disable `EdDSA` and you are still allowed
>> `Signature.getInstance("Ed25519")`? If this is because it will reject
>> whatever EdDSA key later? Why both check `CryptoPrimitive.SIGNATURE` at all?
>
> I'm confused by this comment. With removing the hardcoded aliases in
> AbstractAlgorithmConstraints, which is what I thought you had suggested,
> EdDSA and Ed25519 are now separate as the check is effectively a string
> compare check against the disabledAlgorithm list
>
> The second half of that case statement has a key that can check against both
> EdDSA and the NPS.
>
> With respect to `CryptoPrimitive.SIGNATURE`, it just a value used in the
> test, it can't be null.
Yes, I remember that.
I understand there will be multiple checks in TLS and CertPath. Do we have
existing tests on that level?
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/23647#discussion_r1996180604
