On Fri, 17 Sep 2021 14:29:34 GMT, Sean Mullan <mul...@openjdk.org> wrote:

>> This change will disable JARs signed with algorithms using SHA-1 by default, 
>> and treat them as unsigned. This applies to the algorithms used to digest, 
>> sign, and optionally timestamp the JAR. It also applies to the signature and 
>> digest algorithms of the certificates in the certificate chain of the code 
>> signer and the Timestamp Authority, and any CRLs or OCSP responses that are 
>> used to verify if those certificates have been revoked. The specific details 
>> are more fully described in the CSR: 
>> https://bugs.openjdk.java.net/browse/JDK-8272155.
>> 
>> Some additional notes about the fix:
>> 
>> - This change was previously backed out of JDK 17 and delayed because of 
>> performance regressions. The overall performance is still to be verified, 
>> but the primary bottlenecks were addressed as follows:
>>     - `sun.security.util.DisabledAlgorithmConstraints` no longer depends on 
>> `java.text.SimpleDateFormat` to format date fields which is expensive.
>>     - the `jdkCA` constraint has been removed as this caused the `cacerts` 
>> keystore to be loaded. Applications  using SHA-1 JARs signed by certificates 
>> that chain back to private CAs and are impacted by the restrictions can, at 
>> their own risk, adjust the properties and add back in the `jdkCA` constraint.
>>  - `jarsigner` has been enhanced to more accurately warn about algorithms 
>> that are disabled based on the constraints specified in the security 
>> properties. Previously it had used a simpler scheme which did not take into 
>> account constraints such as `Usage` or `DenyAfter`. Similar changes should 
>> also be made to `keytool` but that will be addressed in a separate issue.
>>  - Some SHA-1 JARs used by tests where it does not affect the results have 
>> been re-signed with SHA-2 algorithms.
>
> Sean Mullan has updated the pull request incrementally with four additional 
> commits since the last revision:
> 
>  - Add some more comments in the PKIX date() and timestamp() methods.
>    Remove extra newline from debugging output.
>  - Revert "Revert "Initial revision.""
>    
>    This reverts commit 4601bbb301455a5e35a3e9d691f791972cdd8204.
>  - Remove.
>  - Revert "Initial revision."
>    
>    This reverts commit d49ba3f0aaec51768298fe2247f53ffcbeb7c442.

Marked as reviewed by weijun (Reviewer).

src/java.base/share/classes/sun/security/provider/certpath/PKIX.java line 228:

> 226:             }
> 227:             return timestampDate;
> 228:         }

Can we also add some words to the `date()` method? Something which tells the 
major difference between it and `timestamp()`?

src/java.base/share/classes/sun/security/util/JarConstraintsParameters.java 
line 114:

> 112: 
> 113:     // extract last certificate and key from chain
> 114:     private void init(CertPath cp) {

The `init` name suggests it's only done once at the beginning, but actually 
it's an accumulation process. Can we find another name?

-------------

PR: https://git.openjdk.java.net/jdk/pull/5320

Reply via email to