JDK-8318328 : DHKEM should check XDH name in case-insensitive mode
  • Type: Bug
  • Component: security-libs
  • Sub-Component: javax.crypto
  • Affected Version: 21,22
  • Priority: P4
  • Status: Closed
  • Resolution: Fixed
  • Submitted: 2023-10-17
  • Updated: 2025-05-07
  • Resolved: 2023-10-17
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 22
22 b20Fixed
Related Reports
Relates :  
JDK-8297878 - KEM: Implementation
Description
In DHKEM, when an encapsulator or decapsulator is created from an XDH key, it reads in the name and compare it to either "X25519" or "X448" in case-sensitive mode. This is a standard algorithm name and the comparison should be performed case-insensitive.
Comments
[21u comment] Hi [~ssubramaniam] I agree that the risk to introduce an error by this backport is small. But it will change the behavior of applications as more algorithm names will be accepted. Thus I am not sure this is a good backport. Accepted algorithm names in OracleJDK and OpenJDK will differ, too.
05-05-2025
[jdk21u-fix-request] Approval Request from Satyen Subramaniam for backport. Simple fix that swaps out `equals` for `equalsIgnoreCase`. Risk: Low. Tip change was merged in October 2023 and adds a test to confirm correct functionality. Testing: * GHA Sanity Checks * Tier 1 and 2 tests locally * New `test/jdk/com/sun/crypto/provider/DHKEM/NameSensitiveness.java` test
01-05-2025
A pull request was submitted for review. Branch: master URL: https://git.openjdk.org/jdk21u-dev/pull/1728 Date: 2025-05-01 16:38:30 +0000
01-05-2025
Changeset: 5145e5a4 Author: Weijun Wang <weijun@openjdk.org> Date: 2023-10-17 19:36:17 +0000 URL: https://git.openjdk.org/jdk/commit/5145e5a40a8e9a87b3bc9f236dbf9e4b89094e46
17-10-2023
Lower the level to P4. As long as the keys are generated inside the SUN provider (no matter newly generated or from an encoding) the name should always be in uppercase and the original check works.
17-10-2023
A pull request was submitted for review. URL: https://git.openjdk.org/jdk/pull/16225 Date: 2023-10-17 18:03:33 +0000
17-10-2023