On Fri, 24 Sep 2021 22:01:26 GMT, Valerie Peng <valer...@openjdk.org> wrote:
>> This code change removes weak etypes from the default list so it's safer to >> enable one of them. See the corresponding CSR at >> https://bugs.openjdk.java.net/browse/JDK-8274207 for more explanation. BTW, >> please review the CSR as well. > > src/java.security.jgss/share/classes/sun/security/krb5/internal/crypto/EType.java > line 111: > >> 109: } else { >> 110: supportedETypes = Arrays.copyOf(result, num); >> 111: } > > nit: it seems clearer to base supportedETypes on defaultETypes, e.g. > <pre> if (allowWeakCrypto) { > supportedETypes = Arrays.copyOf(defaultETypes, > defaultETypes.length + 4); > supportedETypes[defaultETypes.length] = > EncryptedData.ETYPE_DES3_CBC_HMAC_SHA1_KD; > supportedETypes[defaultETypes.length + 1] = > EncryptedData.ETYPE_ARCFOUR_HMAC; > supportedETypes[defaultETypes.length + 2] = > EncryptedData.ETYPE_DES_CBC_CRC; > supportedETypes[defaultETypes.length + 3] = > EncryptedData.ETYPE_DES_CBC_MD5; > } else { > supportedETypes = defaultETypes; > } > </pre> Yes. ------------- PR: https://git.openjdk.java.net/jdk/pull/5654
