On Fri, 18 Jul 2025 01:44:33 GMT, Valerie Peng <[email protected]> wrote:
> This enhancement introduces a new security property
> "jdk.crypto.disabledAlgorithms" which can be leveraged to disable algorithms
> for JCE/JCA crypto services. For now, only Cipher, KeyStore, MessageDigest,
> and Signature services support this new security property. The support can be
> expanded later to cover more services if needed. Note that this security
> property is meant to disable algorithms irrespective of providers. If the
> algorithm is found to be disabled, it will be rejected before reaching out to
> provider(s) for the corresponding implementation(s).
>
> A few implementation notes:
> 1) The specified security property value is lazily loaded and all changes
> after it's been loaded are ignored. Invalid entries, e.g. wrong syntax, are
> ignored and removed. The algorithm name check is case-insensitive. If a
> disabled algorithm is known to has an object identifier (oid) by JDK, this
> oid and its aliases is also added to the disabled services.
> 2) The algorithm name checking impl is based on the
> sun.security.util.AlgorithmConstraints class, but without the decomposing and
> different constraints.
> 3) The hardwiring of NONEwithRSA signature to RSA/ECB/PKCS1Padding cipher in
> java.security.Signature class is removed. Instead, this is moved to the
> provider level, i.e. SunJCE and SunPKCS11 provider are changed to claim the
> NONEwithRSA signature support. Disabling one will not affect the other.
>
> CSR will be filed once the review is wrapping up.
>
> Thanks~
> Valerie
src/java.base/share/classes/com/sun/crypto/provider/RSACipherAdaptor.java line
37:
> 35: import java.security.InvalidAlgorithmParameterException;
> 36: import java.security.InvalidParameterException;
> 37: import java.security.ProviderException;
not used
src/java.base/share/classes/com/sun/crypto/provider/RSACipherAdaptor.java line
43:
> 41: import javax.crypto.BadPaddingException;
> 42: import javax.crypto.IllegalBlockSizeException;
> 43: import javax.crypto.NoSuchPaddingException;
not used
src/java.base/share/classes/javax/crypto/Cipher.java line 370:
> 368: "missing mode and/or padding-"
> 369: + transformation);
> 370:
extra line intentional?
src/java.base/share/classes/sun/security/util/CryptoAlgorithmConstraints.java
line 36:
> 34: import java.util.Set;
> 35: import java.util.concurrent.ConcurrentHashMap;
> 36: import sun.security.util.KnownOIDs;
This import isn't needed since `KnownOIDs` in the same package.
src/java.base/share/classes/sun/security/util/KnownOIDs.java line 186:
> 184: // RSASecurity
> 185: // PKCS1 1.2.840.113549.1.1.*
> 186: PKCS1("1.2.840.113549.1.1", "RSA", false), // RSA KeyPairGenerator
> and KeyFactory
With you specifying a new "RSA" stdName in the `RSA` enum, do we really need a
`"RSA", false` here? After doing an internet search on the OID, it looks like
"PKCS-1" maybe more appropriate.
src/java.base/share/conf/security/java.security line 775:
> 773:
> 774: #
> 775: # Algorithm restrictions for Java Crypto API services
Since this is a title, an empty comment line between this and the start of the
description would be appropriate.
src/java.base/share/conf/security/java.security line 776:
> 774: #
> 775: # Algorithm restrictions for Java Crypto API services
> 776: # The syntax of the disabled services string is described as follows:
Before you get into the syntax, I think you should explain what the feature is
and how it is triggered, such as, `getInstance()`.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/26377#discussion_r2229859202
PR Review Comment: https://git.openjdk.org/jdk/pull/26377#discussion_r2229859346
PR Review Comment: https://git.openjdk.org/jdk/pull/26377#discussion_r2220011949
PR Review Comment: https://git.openjdk.org/jdk/pull/26377#discussion_r2229663944
PR Review Comment: https://git.openjdk.org/jdk/pull/26377#discussion_r2229631993
PR Review Comment: https://git.openjdk.org/jdk/pull/26377#discussion_r2229636323
PR Review Comment: https://git.openjdk.org/jdk/pull/26377#discussion_r2229645390
