On Fri, 18 Jul 2025 01:44:33 GMT, Valerie Peng <valer...@openjdk.org> wrote:
> This enhancement introduces a new security property > "jdk.crypto.disabledAlgorithms" which can be leveraged to disable algorithms > for JCE/JCA crypto services. For now, only Cipher, KeyStore, MessageDigest, > and Signature services support this new security property. The support can be > expanded later to cover more services if needed. Note that this security > property is meant to disable algorithms irrespective of providers. If the > algorithm is found to be disabled, it will be rejected before reaching out to > provider(s) for the corresponding implementation(s). > > A few implementation notes: > 1) The specified security property value is lazily loaded and all changes > after it's been loaded are ignored. Invalid entries, e.g. wrong syntax, are > ignored and removed. The algorithm name check is case-insensitive. If a > disabled algorithm is known to has an object identifier (oid) by JDK, this > oid and its aliases is also added to the disabled services. > 2) The algorithm name checking impl is based on the > sun.security.util.AlgorithmConstraints class, but without the decomposing and > different constraints. > 3) The hardwiring of NONEwithRSA signature to RSA/ECB/PKCS1Padding cipher in > java.security.Signature class is removed. Instead, this is moved to the > provider level, i.e. SunJCE and SunPKCS11 provider are changed to claim the > NONEwithRSA signature support. Disabling one will not affect the other. > > CSR will be filed once the review is wrapping up. > > Thanks~ > Valerie This pull request has now been integrated. Changeset: 35dabb1a Author: Valerie Peng <valer...@openjdk.org> URL: https://git.openjdk.org/jdk/commit/35dabb1a5f31d985f00de21badeeedb026a63b94 Stats: 1566 lines in 19 files changed: 1364 ins; 163 del; 39 mod 8244336: Restrict algorithms at JCE layer Reviewed-by: mullan, ascarpino, abarashev ------------- PR: https://git.openjdk.org/jdk/pull/26377
