Details

    • Type: Sub-task
    • Status: Resolved
    • Priority: P2
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 9
    • Component/s: security-libs
    • Labels:
      None

      Description

      This dev subtask involves implementing the jdkCA constraint (JDK-8140422). It also includes getting CCC approval.


      Problem
      With the increasing chances of collisions with SHA1-signed certificates, we need better control of a certificate's chain of trust without disabling private CA-signed or self-signed certificates that an enterprise may depend on. Enterprises typically take longer to conform to algorithm restrictions. Today, the algorithm checking for CertPath is too coarse, it is either enabled or disabled.
       
      Solution
      Add a new constraint for the restricted algorithms in a certificate chain if the trust anchor is a public CA in the cacerts keystore. This allows to disable most CertPath validation and builder operations while still allowing private CA trust anchors or self-signed certs to operate in a private/enterprise environment. This significantly reduces the compatibility risk for certificate algorithms such as SHA-1 that have been heavily deployed in enterprises, and allows us to disable it in a phased approach.
       
      The option can be used on the jdk.certpath.disabledAlgorithms security property. The keyword is "jdkCA". To disable SHA1 for the new constraint, the property option would look like "SHA1 jdkCA".
       
      Also, the syntax has been extended with an '&' keyword to allow multiple constraints to be specified for each algorithm.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                ascarpino Anthony Scarpino
                Reporter:
                mullan Sean Mullan
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Due:
                  Created:
                  Updated:
                  Resolved: