8375549: ConcurrentModificationException if jdk.crypto.disabledAlgorithms has multiple entries with known oid

Valerie Peng · Valerie Peng · commit b43c4fce4e5f · 2026-02-02T19:28:03.000Z
Reviewed-by: shade, mullan Backport-of: e551240
diff --git a/src/java.base/share/classes/sun/security/util/CryptoAlgorithmConstraints.java b/src/java.base/share/classes/sun/security/util/CryptoAlgorithmConstraints.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2025, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2025, 2026, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -82,8 +82,10 @@ public static boolean permits(String service, String algo) {
     CryptoAlgorithmConstraints(String propertyName) {
         super(null);
         disabledServices = getAlgorithms(propertyName, true);
-        debug("Before " + Arrays.deepToString(disabledServices.toArray()));
-        for (String dk : disabledServices) {
+        String[] entries = disabledServices.toArray(new String[0]);
+        debug("Before " + Arrays.deepToString(entries));
+
+        for (String dk : entries) {
             int idx = dk.indexOf(".");
             if (idx < 1 || idx == dk.length() - 1) {
                 // wrong syntax: missing "." or empty service or algorithm
diff --git a/test/jdk/javax/crypto/Cipher/TestDisabledWithOids.java b/test/jdk/javax/crypto/Cipher/TestDisabledWithOids.java
@@ -0,0 +1,47 @@
+/*
+ * Copyright (c) 2026, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/**
+ * @test
+ * @bug 8375549
+ * @summary Test JCE layer algorithm restriction using algorithms w/ oids
+ * @library /test/lib
+ * @run main/othervm -Djdk.crypto.disabledAlgorithms=Cipher.DES,Cipher.RSA/ECB/PKCS1Padding TestDisabledWithOids
+ * @run main/othervm -Djdk.crypto.disabledAlgorithms=Cipher.RSA/ECB/PKCS1Padding,Cipher.DES TestDisabledWithOids
+ */
+import java.security.NoSuchAlgorithmException;
+import javax.crypto.Cipher;
+import jdk.test.lib.Utils;
+
+public class TestDisabledWithOids {
+    public static void main(String[] args) throws Exception {
+        String algo1 = "RSA/ECB/PKCS1Padding";
+        String algo2 = "DES";
+
+        Utils.runAndCheckException(() -> Cipher.getInstance(algo1),
+                            NoSuchAlgorithmException.class);
+        Utils.runAndCheckException(() -> Cipher.getInstance(algo2),
+                            NoSuchAlgorithmException.class);
+        System.out.println("Done");
+    }
+}
