Summary

Backports the jdk.crypto.disabledAlgorithms security property introduced in JDK 26 under CSR JDK-8364386 for disabling algorithms in JCE/JCA services. This CSR differs by placing the “JDK Reference Implementation” notes, originally added to the javax.crypto and java.security javadoc, into the Release Notes instead.

Problem

As time goes by and algorithms become legacy, there are no mechanisms to stop or detect their use. With this new security property, once set, requests made to the supported service classes, i.e. Cipher, KeyStore, MessageDigest, and Signature, matching the disabled algorithm will be rejected with exception.

Solution

Add a security property "jdk.crypto.disabledAlgorithms" (overridable by a system property of the same name) whose value has the following syntax: "DisabledService {, DisabledService}"

Each "DisabledService" component has the format of "Service.AlgorithmName" where "Service" is one of Cipher, KeyStore, MessageDigest, or Signature (more services may be added later) and "AlgorithmName" is the standard algorithm name of the disabled service. See the Java Security Standard Algorithm Names Specification for information about Standard Algorithm Names. Matching is performed using a case-insensitive exact matching rule. For the Cipher service, its algorithm is the transformation string. If the property value contains entries with invalid syntax or unsupported services at the time of checking, an ExceptionInInitializerError with a cause of IllegalArgumentException will be thrown.

Note: This property is currently used by the JDK Reference implementation. It is not guaranteed to be examined and used by other implementations.

Specification

1. document the security property "jdk.crypto.disabledAlgorithms" in the java.security file. See patch below.

2. A release note will accompany this enhancement. Any necessary security docs updates willl be made also.

+#
+# Algorithm restrictions for Java Crypto API services
+#
+# In some environments, certain algorithms may be undesirable for certain
+# cryptographic services. For example, "MD2" is generally no longer considered
+# to be a secure hash algorithm.  This section describes the mechanism for
+# disabling algorithms at the JCA/JCE level based on service name and algorithm
+# name.
+#
+# If a system property of the same name is also specified, it supersedes the
+# security property value defined here.
+#
+# The syntax of the disabled services string is described as follows:
+#       "DisabledService {, DisabledService}"
+#
+#   DisabledService:
+#       Service.AlgorithmName
+#
+# Service:  (one of the following, more services may be added later)
+#     Cipher | KeyStore | MessageDigest | Signature
+#
+#   AlgorithmName:
+#       (see below)
+#
+# The "AlgorithmName" is the standard algorithm name of the disabled
+# service. See the Java Security Standard Algorithm Names Specification
+# for information about Standard Algorithm Names.  Matching is
+# performed using a case-insensitive exact matching rule. For Cipher service,
+# its algorithm is the transformation string.
+#
+# Note: If the property value contains entries with invalid syntax or
+# unsupported services at the time of checking, an ExceptionInInitializerError
+# with a cause of IllegalArgumentException will be thrown.
+#
+# Note: The restriction is applied in the various getInstance(...) methods
+# of the supported Service classes, i.e. Cipher, KeyStore, MessageDigest,
+# and Signature.
+#
+# Note: This property is currently used by the JDK Reference implementation.
+# It is not guaranteed to be examined and used by other implementations.
+#
+# Example:
+#   jdk.crypto.disabledAlgorithms=Cipher.RSA/ECB/PKCS1Padding, MessageDigest.MD2