> This enhancement introduces a new security property 
> "jdk.crypto.disabledAlgorithms" which can be leveraged to disable algorithms 
> for JCE/JCA crypto services. For now, only Cipher, KeyStore, MessageDigest, 
> and Signature services support this new security property. The support can be 
> expanded later to cover more services if needed. Note that this security 
> property is meant to disable algorithms irrespective of providers. If the 
> algorithm is found to be disabled, it will be rejected before reaching out to 
> provider(s) for the corresponding implementation(s).
> 
> A few implementation notes:
> 1) The specified security property value is lazily loaded and all changes 
> after it's been loaded are ignored. Invalid entries, e.g. wrong syntax, are 
> ignored and removed. The algorithm name check is case-insensitive. If a 
> disabled algorithm is known to has an object identifier (oid) by JDK, this 
> oid and its aliases is also added to the disabled services.
> 2) The algorithm name checking impl is based on the 
> sun.security.util.AlgorithmConstraints class, but without the decomposing and 
> different constraints.
> 3) The hardwiring of NONEwithRSA signature to RSA/ECB/PKCS1Padding cipher in 
> java.security.Signature class is removed. Instead, this is moved to the 
> provider level, i.e. SunJCE and SunPKCS11 provider are changed to claim the 
> NONEwithRSA signature support. Disabling one will not affect the other. 
> 
> CSR will be filed once the review is wrapping up.
> 
> Thanks~
> Valerie

Valerie Peng has updated the pull request incrementally with two additional 
commits since the last revision:

 - Add a public static final constant for the property name.
 - Address more review comments from Sean and Artur.

-------------

Changes:
  - all: https://git.openjdk.org/jdk/pull/26377/files
  - new: https://git.openjdk.org/jdk/pull/26377/files/d4f892fc..c9bf72f4

Webrevs:
 - full: https://webrevs.openjdk.org/?repo=jdk&pr=26377&range=04
 - incr: https://webrevs.openjdk.org/?repo=jdk&pr=26377&range=03-04

  Stats: 60 lines in 8 files changed: 23 ins; 7 del; 30 mod
  Patch: https://git.openjdk.org/jdk/pull/26377.diff
  Fetch: git fetch https://git.openjdk.org/jdk.git pull/26377/head:pull/26377

PR: https://git.openjdk.org/jdk/pull/26377

Reply via email to