On Wed, 30 Jul 2025 07:25:57 GMT, Valerie Peng <[email protected]> wrote:
>> This enhancement introduces a new security property
>> "jdk.crypto.disabledAlgorithms" which can be leveraged to disable algorithms
>> for JCE/JCA crypto services. For now, only Cipher, KeyStore, MessageDigest,
>> and Signature services support this new security property. The support can
>> be expanded later to cover more services if needed. Note that this security
>> property is meant to disable algorithms irrespective of providers. If the
>> algorithm is found to be disabled, it will be rejected before reaching out
>> to provider(s) for the corresponding implementation(s).
>>
>> A few implementation notes:
>> 1) The specified security property value is lazily loaded and all changes
>> after it's been loaded are ignored. Invalid entries, e.g. wrong syntax, are
>> ignored and removed. The algorithm name check is case-insensitive. If a
>> disabled algorithm is known to has an object identifier (oid) by JDK, this
>> oid and its aliases is also added to the disabled services.
>> 2) The algorithm name checking impl is based on the
>> sun.security.util.AlgorithmConstraints class, but without the decomposing
>> and different constraints.
>> 3) The hardwiring of NONEwithRSA signature to RSA/ECB/PKCS1Padding cipher in
>> java.security.Signature class is removed. Instead, this is moved to the
>> provider level, i.e. SunJCE and SunPKCS11 provider are changed to claim the
>> NONEwithRSA signature support. Disabling one will not affect the other.
>>
>> CSR will be filed once the review is wrapping up.
>>
>> Thanks~
>> Valerie
>
> Valerie Peng has updated the pull request incrementally with one additional
> commit since the last revision:
>
> Address review comments from Sean and Tony.
src/java.base/share/classes/com/sun/crypto/provider/RSACipherAdaptor.java line
48:
> 46: *
> 47: * This is mostly refactored from the private static CipherAdapter class
> 48: * in the java.security.Signature class
This comment won't be that helpful now that the static CipherAdapter class is
gone. Maybe just remove it?
src/java.base/share/classes/com/sun/crypto/provider/RSACipherAdaptor.java line
50:
> 48: * in the java.security.Signature class
> 49: */
> 50: public final class RSACipherAdaptor extends SignatureSpi {
Can this be package-private?
src/java.base/share/classes/com/sun/crypto/provider/RSACipherAdaptor.java line
59:
> 57: }
> 58:
> 59: protected void engineInitVerify(PublicKey publicKey)
Consider adding `@Override` annotations where relevant.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/26377#discussion_r2243000102
PR Review Comment: https://git.openjdk.org/jdk/pull/26377#discussion_r2242982775
PR Review Comment: https://git.openjdk.org/jdk/pull/26377#discussion_r2243003226
