On Fri, 17 Sep 2021 14:29:34 GMT, Sean Mullan <mul...@openjdk.org> wrote:
>> This change will disable JARs signed with algorithms using SHA-1 by default, >> and treat them as unsigned. This applies to the algorithms used to digest, >> sign, and optionally timestamp the JAR. It also applies to the signature and >> digest algorithms of the certificates in the certificate chain of the code >> signer and the Timestamp Authority, and any CRLs or OCSP responses that are >> used to verify if those certificates have been revoked. The specific details >> are more fully described in the CSR: >> https://bugs.openjdk.java.net/browse/JDK-8272155. >> >> Some additional notes about the fix: >> >> - This change was previously backed out of JDK 17 and delayed because of >> performance regressions. The overall performance is still to be verified, >> but the primary bottlenecks were addressed as follows: >> - `sun.security.util.DisabledAlgorithmConstraints` no longer depends on >> `java.text.SimpleDateFormat` to format date fields which is expensive. >> - the `jdkCA` constraint has been removed as this caused the `cacerts` >> keystore to be loaded. Applications using SHA-1 JARs signed by certificates >> that chain back to private CAs and are impacted by the restrictions can, at >> their own risk, adjust the properties and add back in the `jdkCA` constraint. >> - `jarsigner` has been enhanced to more accurately warn about algorithms >> that are disabled based on the constraints specified in the security >> properties. Previously it had used a simpler scheme which did not take into >> account constraints such as `Usage` or `DenyAfter`. Similar changes should >> also be made to `keytool` but that will be addressed in a separate issue. >> - Some SHA-1 JARs used by tests where it does not affect the results have >> been re-signed with SHA-2 algorithms. > > Sean Mullan has updated the pull request incrementally with four additional > commits since the last revision: > > - Add some more comments in the PKIX date() and timestamp() methods. > Remove extra newline from debugging output. > - Revert "Revert "Initial revision."" > > This reverts commit 4601bbb301455a5e35a3e9d691f791972cdd8204. > - Remove. > - Revert "Initial revision." > > This reverts commit d49ba3f0aaec51768298fe2247f53ffcbeb7c442. Marked as reviewed by weijun (Reviewer). src/java.base/share/classes/sun/security/provider/certpath/PKIX.java line 228: > 226: } > 227: return timestampDate; > 228: } Can we also add some words to the `date()` method? Something which tells the major difference between it and `timestamp()`? src/java.base/share/classes/sun/security/util/JarConstraintsParameters.java line 114: > 112: > 113: // extract last certificate and key from chain > 114: private void init(CertPath cp) { The `init` name suggests it's only done once at the beginning, but actually it's an accumulation process. Can we find another name? ------------- PR: https://git.openjdk.java.net/jdk/pull/5320