Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8148888 Improve Algorithm Constraints
  3. JDK-8130766

Add notAfter constraint to the jdk.certpath.disabledAlgorithms security property

    XMLWordPrintable

    Details

      Description

      A additional constraint should be added to the jdk.certpath.disabledAlgorithms security property to allow for further granularity and flexibility.

      A NotAfterConstraint can be used to block certificates that expire after a certain date, or in the case of signed JARs, allow them to be used if timestamped before that date. This type of constraint is useful for sunsetting algorithms that are weak and should not be used after a certain point in the future but also allow existing certificates that expire before that date, or signed JARs that have been timestamped before that date, to continue working.

      Proposed syntax:

      # NotAfterConstraint:
      # notAfter Date
      #
      # Date
      # YYYYMMDD

      All dates are interpreted in the GMT timezone. Example:

      jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, SHA-1 notAfter 20170101 eku serverAuth, clientAuth, codeSigning

        Attachments

          Activity

            People

            Assignee:
            ascarpino Anthony Scarpino
            Reporter:
            mullan Sean Mullan
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Due:
              Created:
              Updated:
              Resolved: