On Wed, 30 Jul 2025 07:04:41 GMT, Valerie Peng <valer...@openjdk.org> wrote:
>> src/java.base/share/classes/java/security/KeyStore.java line 1846:
>>
>>> 1844: for (Provider p : Security.getProviders()) {
>>> 1845: for (Provider.Service s : p.getServices()) {
>>> 1846: if (s.getType().equals("KeyStore") &&
>>
>> I think the check should only be done if the code determines after probing
>> the keystore that it is of the disabled type, so move this check down,
>> probably just before line 1856.
>
> No need to probe if the particular keystore is disabled seems more efficient?
> Anyhow, I made the suggested change as it has the merits of finding out the
> result of the probe through debugging.
Well there is a compatibility mode (enabled by default) which allows PKCS12
keystores to be read as JKS, and vice-versa, so I think it is better to probe
the file to see precisely what format it is in. See the
[keystore.type.compat](https://github.com/openjdk/jdk/blob/a2e86ff3c56209a14c6e9730781eecd12c81d170/src/java.base/share/conf/security/java.security#L304)
security property for details.
>> src/java.base/share/classes/javax/crypto/Cipher.java line 526:
>>
>>> 524: * on the transformation defaults used by JDK providers.
>>> 525: * </li>
>>> 526: * <li>the {@code jdk.crypto.disabledAlgorithms}
>>
>> Missing "The JDK Reference Implementation additionally uses".
>
> This is one of the list items. "The JDK Reference Implementation additionally
> uses" applies to the entire list which includes both security properties.
Ok. I might suggest rewording the first sentence as: "The JDK Reference
Implementation additionally uses the following security properties:" and then
the list would be:
`<li>{@code jdk.security.provider.preferred}: determines the preferred provider
order for the specified algorithm. ...`
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/26377#discussion_r2242761676
PR Review Comment: https://git.openjdk.org/jdk/pull/26377#discussion_r2242744714
