8244336: Restrict algorithms at JCE layer

[valeriepeng]

This enhancement introduces a new security property "jdk.crypto.disabledAlgorithms" which can be leveraged to disable algorithms for JCE/JCA crypto services. For now, only Cipher, KeyStore, MessageDigest, and Signature services support this new security property. The support can be expanded later to cover more services if needed. Note that this security property is meant to disable algorithms irrespective of providers. If the algorithm is found to be disabled, it will be rejected before reaching out to provider(s) for the corresponding implementation(s).

A few implementation notes:

1. The specified security property value is lazily loaded and all changes after it's been loaded are ignored. Invalid entries, e.g. wrong syntax, are ignored and removed. The algorithm name check is case-insensitive. If a disabled algorithm is known to has an object identifier (oid) by JDK, this oid and its aliases is also added to the disabled services.
2. The algorithm name checking impl is based on the sun.security.util.AlgorithmConstraints class, but without the decomposing and different constraints.
3. The hardwiring of NONEwithRSA signature to RSA/ECB/PKCS1Padding cipher in java.security.Signature class is removed. Instead, this is moved to the provider level, i.e. SunJCE and SunPKCS11 provider are changed to claim the NONEwithRSA signature support. Disabling one will not affect the other.

CSR will be filed once the review is wrapping up.

Thanks~
Valerie

---

Progress

• Change must be properly reviewed (1 review required, with at least 1 Reviewer)
• Change must not contain extraneous whitespace
• Commit message must refer to an issue
• Change requires a CSR request matching fixVersion 26 to be approved (needs to be created)

Issue

• JDK-8244336: Restrict algorithms at JCE layer (Enhancement - P3)

Reviewing

Using git

Checkout this PR locally:
$ git fetch https://git.openjdk.org/jdk.git pull/26377/head:pull/26377
$ git checkout pull/26377

Update a local copy of the PR:
$ git checkout pull/26377
$ git pull https://git.openjdk.org/jdk.git pull/26377/head

Using Skara CLI tools

Checkout this PR locally:
$ git pr checkout 26377

View PR using the GUI difftool:
$ git pr show -t 26377

Using diff file

Download this PR as a diff file:
https://git.openjdk.org/jdk/pull/26377.diff

Using Webrev

Link to Webrev Comment

[bridgekeeper]

👋 Welcome back valeriep! A progress list of the required criteria for merging this PR into master will be added to the body of your pull request. There are additional pull request commands available for use with this pull request.

[openjdk]

❗ This change is not yet ready to be integrated.
See the Progress checklist in the description for automated requirements.

[openjdk]

@valeriepeng The following label will be automatically applied to this pull request:

• security

When this pull request is ready to be reviewed, an "RFR" email will be sent to the corresponding mailing list. If you would like to change these labels, use the /label pull request command.

[mlbridge]

Webrevs

• 00: Full (ee0b9c63)

[valeriepeng]

/csr

[openjdk]

@valeriepeng has indicated that a compatibility and specification (CSR) request is needed for this pull request.

@valeriepeng please create a CSR request for issue JDK-8244336 with the correct fix version. This pull request cannot be integrated until the CSR request is approved.