Algorithm aliases of SHA-1 in DisabledAlgorithmConstraints
weijun.wang at oracle.com
Mon Mar 12 11:39:51 UTC 2018
I put "SHA-1" in a DisabledAlgorithmConstraints, it rejects SHA1 but allows sha1.
The reason is that http://hg.openjdk.java.net/jdk/jdk/file/6b54e8cd9b3d/jdk/src/java.base/share/classes/sun/security/util/AlgorithmDecomposer.java#l96 does not see "sha1".
On the other hand, it rejects both "SHA-1" and "sha-1", because it's a direct case-insenstive match.
Also, it allows both "SHA" and "sha" because there is no special code for it. Isn't "SHA" also an alias of "SHA-1"?
Do you think all these names should be recognized? Shall we clarify it in the spec?
More information about the security-dev