On Thu, 23 Sep 2021 14:32:01 GMT, Weijun Wang <wei...@openjdk.org> wrote:
> This code change removes weak etypes from the default list so it's safer to > enable one of them. See the corresponding CSR at > https://bugs.openjdk.java.net/browse/JDK-8274207 for more explanation. BTW, > please review the CSR as well. src/java.security.jgss/share/classes/sun/security/krb5/internal/crypto/EType.java line 90: > 88: try { > 89: Config cfg = Config.getInstance(); > 90: allowWeakCrypto = cfg.getBooleanObject("libdefaults", > "allow_weak_crypto") nit: exceeds 80 chars? src/java.security.jgss/share/classes/sun/security/krb5/internal/crypto/EType.java line 111: > 109: } else { > 110: supportedETypes = Arrays.copyOf(result, num); > 111: } nit: it seems clearer to base supportedETypes on defaultETypes, e.g. <pre> if (allowWeakCrypto) { supportedETypes = Arrays.copyOf(defaultETypes, defaultETypes.length + 4); supportedETypes[defaultETypes.length] = EncryptedData.ETYPE_DES3_CBC_HMAC_SHA1_KD; supportedETypes[defaultETypes.length + 1] = EncryptedData.ETYPE_ARCFOUR_HMAC; supportedETypes[defaultETypes.length + 2] = EncryptedData.ETYPE_DES_CBC_CRC; supportedETypes[defaultETypes.length + 3] = EncryptedData.ETYPE_DES_CBC_MD5; } else { supportedETypes = defaultETypes; } </pre> ------------- PR: https://git.openjdk.java.net/jdk/pull/5654
