Algorithm aliases of SHA-1 in DisabledAlgorithmConstraints

Weijun Wang weijun.wang at oracle.com
Mon Mar 12 11:39:51 UTC 2018


I put "SHA-1" in a DisabledAlgorithmConstraints, it rejects SHA1 but allows sha1.

The reason is that http://hg.openjdk.java.net/jdk/jdk/file/6b54e8cd9b3d/jdk/src/java.base/share/classes/sun/security/util/AlgorithmDecomposer.java#l96 does not see "sha1".

On the other hand, it rejects both "SHA-1" and "sha-1", because it's a direct case-insenstive match.

Also, it allows both "SHA" and "sha" because there is no special code for it. Isn't "SHA" also an alias of "SHA-1"?

Do you think all these names should be recognized? Shall we clarify it in the spec?

Thanks
Max



More information about the security-dev mailing list