Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8241893

Mirror jdk.security.allowNonCaAnchor system property with a security one

    Details

    • Type: CSR
    • Status: Closed
    • Priority: P4
    • Resolution: Approved
    • Fix Version/s: 15
    • Component/s: security-libs
    • Labels:
      None
    • Subcomponent:
    • Compatibility Kind:
      behavioral
    • Compatibility Risk:
      minimal
    • Compatibility Risk Description:
      The introduction of a Security property mirroring an existing System property should not pose any compatibility risk.
    • Interface Kind:
      System or security property
    • Scope:
      JDK

      Description

      Summary

      Mirror the jdk.security.allowNonCaAnchor System property with a Security one of the same name. In the case that both are simultaneously set, the System property overrides.

      Problem

      Even though the jdk.security.allowNonCaAnchor System property can be used for backward-compatibility purposes after JDK-8230318, it's not possible to set its value in a global and persistent way: it has to be set as an argument for each JVM invocation.

      Solution

      By mirroring the jdk.security.allowNonCaAnchor System property with a Security one of the same name, the property value can be set in a global and persistent java.security file.

      Specification

      X.509 v3 certificates used as Trust Anchors (to validate signed code or TLS connections) must have the cA Basic Constraint field set to 'true'. Also, if they include a Key Usage extension, the keyCertSign bit must be set. These checks, enabled by default, can be disabled for backward-compatibility purposes with the jdk.security.allowNonCaAnchor System and Security properties. In the case that both properties are simultaneously set, the System value prevails.

      More information about the jdk.security.allowNonCaAnchor property can be found here.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                mbalao Martin Balao
                Reporter:
                mbalao Martin Balao
                Reviewed By:
                Sean Mullan
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: